SEA-SURFING IN ASP.NET MVCBARTOSZ LENAR

THE PLAN

BASICS

http requests

authentication

cookies

session

SEA-SURFING

unfixable bug

hacking the system

csrf attack

token-based defence

SPA

problems

server-side layer

client-side layer

FIDDLER

responses

requests

HTTP

REQUEST

Method

Version

Host

Rest as key-value pairs:

Accept

Cache-control

…

BODY

RESPONSE

Status dode

Version

Date

Rest as key-value pairs:

Content-type

Content-length

…

BODY

COOKIES

exist in headers as another key-value pair "with parameters"

cookies consist of

name

value

domain & path

expiration date

restrictions (security)

COOKIES SCENARIO

2. responds with cookie visited: true

1. sends request to example.org

4. sends request to example.org

with visited:true cookie in headers

3. saves

visited:true

for example.org

5. knows that client

visited this page earlier

HTTP REQUESTS AND COOKIES

WEB AUTHENTICATION

authentication system

authorize once at the beginning

use the system all the time

but http protocol is stateless!

every request is independent

how to simulate the states?

how to identify request from the specific user?

STATES SCENARIO

2. generates über-random identifier

1. sends first request to example.org

5. sends next request to example.org

with UserId: QB32SDXC8 cookie in headers

4. saves

UserId:QB32S…

for example.org 3. sends it back in cookie

UserId: QB32SDXC8

SESSION

so far: server is able to distinguish users

session: server-side bag for user data

key: previously generated identifier stored in cookie

like QB32SDXC8

value: yet another dictionary

user-specific data like name, address, etc.

security and access data like roles, privileges, etc.

forms

HACK THE SYSTEM

do we want to be an authorized user?

no! we want to act like one!

to hack the system = to "steal" someone’s session

maybe "someone” is:

facebook user – we have all his private data, photos, etc.

bank user – we know how much money he has

…

admin – we can do anything

SESSION HIJACKING

system/browser backdoor

steal the cookie from memory

xss

sidejacking

main-in-the middle

fixation

send user url with session id: http://example.org/?&sessionId=QB32SDXC8

wait for the user to log in

riding – our topic

THE ROAD TO SESSION RIDING

we want to download data stored under http://example.org/admin/secret

let’s think:

authentication & authorization is based on session

session is based on cookies

cookies are being sent to example.org with every request

how about we prepare a website that sends request to the specified path?

LET’S TRY TO GET THE ADMIN’S SECRET

LET’S TRY TO GET THE ADMIN’S SECRET

what actually happened?

1. browser downloads the entire DOM tree

2. img node is being located

3. browser automatically sends GET request to download the image

but… there is no image at the end

nevertheless, browser attached all cookies dedicated to example.org

<img src="http://example.org/admin/secret" />

LET’S TRY TO DO THE ADMIN’S JOB

GET shouldn’t change anything

http://example.org/admin/delete-user/?&username=admin

you’re doing it WRONG!

let’s mess up with POST / DELETE / PUT …

LET’S TRY TO DO THE ADMIN’S JOB

BUILDING THE FIREWALL

how browser works:

attacker is able to send cookies with the request …

… but is not able to see them!

ANTI-FORGERY TOKEN – HOW IT’S MADE

2. generates über-random identifier: J723SDA

1. sends request to example.org

3. sends it back inside the form and in the cookie

AntiForgeryToken= J723SDA

<input name="_token" type="hidden"value="J723SDA" />

ANTI-FORGERY TOKEN – HOW IT WORKS

1. sends request to example.org containing:

• cookie with token: J723SDA

• form value with token: J723SDA

2. validates the request:

• token in cookie is present? true

• token in form is present? true

• do they match each other? true

all true? it’s valid!

ANTI-FORGERY TOKEN – HOW IT SECURES

1. sends request to example.org containing:

• cookie with token: J723SDA

• form value with token: ??????????

2. validates the request:

• token in cookie is present? true

• token in form is present? false

• do they match each other? false

all true? no! respond with 403 Forbidden

DO THE TRICK IN ASP.NET MVC

EVEN MORE SECURE

create a keyword based on:

action-specific and user-specific data

application, server, etc.

our keyword: "BARTEK"

hash the keyword: (0BDE667AA88E8832B61BF68C0D4E34A4) and split it:

0BDE667AA88E8832 goes into cookie

B61BF68C0D4E34A4 goes into form

on request, compute the keyword once again and validate the tokens

PROBLEMS

strongly relies on browser security

doesn’t work with GET requests

is it a problem in pure, REST service?

to disable cookies = to disable all communication

site vulnerable to XSS = we’re doomed

SINGLE PAGE APPS - PROBLEMS

forms are pre-generated

which form is going to be triggered next?

API WRAPPER – CLIENT SIDE

write wrapper for all ajax communication (GET, POST, PUT, DELETE)

requestSettings contains method, data, etc.

ApiWrapper.prototype._SendRequest = function (requestSettings) {var self = this;requestSettings.headers["Token"] = self.Token;

return $.ajax(requestSettings).always(function (arg1, textStatus, arg2) {jqXHR = (textStatus !== "success") ? arg1 : arg2;self.Token = jqXHR.getResponseHeader("Token");document.cookie = "Token=" + self.TokenId + ";";

});};

API WRAPPER – SERVER SIDE

keep tokens in cache/database

nosql

custom ValidateAntiForgeryTokenAttribute

validates token from cookie and header

updating token if necessary

API WRAPPER - USAGE

write wrapper for all ajax communication (GET, POST, PUT, DELETE)

return jqXHR from all functions

api.Get('customers/' + customerId).success(function (data) {

self.Customer(data);});

api.Post('customers/' + customerId, editedData).success(function () {

message.ReportSuccess();});

SEA-SURFING IN ASP.NET MVC

QUESTIONS-SURFING

Fiddler: http://www.telerik.com/fiddler

Icons: http://www.visualpharm.com/

BARTOSZ LENAR

bartoszlenar@gmail.com

@bartoszlenar