Download - Sea surfing in asp.net mvc
![Page 1: Sea surfing in asp.net mvc](https://reader033.vdocuments.us/reader033/viewer/2022051313/547dbe13b37959492b8b5328/html5/thumbnails/1.jpg)
SEA-SURFING IN ASP.NET MVCBARTOSZ LENAR
![Page 2: Sea surfing in asp.net mvc](https://reader033.vdocuments.us/reader033/viewer/2022051313/547dbe13b37959492b8b5328/html5/thumbnails/2.jpg)
THE PLAN
BASICS
http requests
authentication
cookies
session
SEA-SURFING
unfixable bug
hacking the system
csrf attack
token-based defence
SPA
problems
server-side layer
client-side layer
![Page 3: Sea surfing in asp.net mvc](https://reader033.vdocuments.us/reader033/viewer/2022051313/547dbe13b37959492b8b5328/html5/thumbnails/3.jpg)
FIDDLER
responses
requests
![Page 4: Sea surfing in asp.net mvc](https://reader033.vdocuments.us/reader033/viewer/2022051313/547dbe13b37959492b8b5328/html5/thumbnails/4.jpg)
HTTP
REQUEST
Method
Version
Host
Rest as key-value pairs:
Accept
Cache-control
…
BODY
RESPONSE
Status dode
Version
Date
Rest as key-value pairs:
Content-type
Content-length
…
BODY
![Page 5: Sea surfing in asp.net mvc](https://reader033.vdocuments.us/reader033/viewer/2022051313/547dbe13b37959492b8b5328/html5/thumbnails/5.jpg)
COOKIES
exist in headers as another key-value pair "with parameters"
cookies consist of
name
value
domain & path
expiration date
restrictions (security)
![Page 6: Sea surfing in asp.net mvc](https://reader033.vdocuments.us/reader033/viewer/2022051313/547dbe13b37959492b8b5328/html5/thumbnails/6.jpg)
COOKIES SCENARIO
2. responds with cookie visited: true
1. sends request to example.org
4. sends request to example.org
with visited:true cookie in headers
3. saves
visited:true
for example.org
5. knows that client
visited this page earlier
![Page 7: Sea surfing in asp.net mvc](https://reader033.vdocuments.us/reader033/viewer/2022051313/547dbe13b37959492b8b5328/html5/thumbnails/7.jpg)
HTTP REQUESTS AND COOKIES
![Page 8: Sea surfing in asp.net mvc](https://reader033.vdocuments.us/reader033/viewer/2022051313/547dbe13b37959492b8b5328/html5/thumbnails/8.jpg)
WEB AUTHENTICATION
authentication system
authorize once at the beginning
use the system all the time
but http protocol is stateless!
every request is independent
how to simulate the states?
how to identify request from the specific user?
![Page 9: Sea surfing in asp.net mvc](https://reader033.vdocuments.us/reader033/viewer/2022051313/547dbe13b37959492b8b5328/html5/thumbnails/9.jpg)
STATES SCENARIO
2. generates über-random identifier
1. sends first request to example.org
5. sends next request to example.org
with UserId: QB32SDXC8 cookie in headers
4. saves
UserId:QB32S…
for example.org 3. sends it back in cookie
UserId: QB32SDXC8
![Page 10: Sea surfing in asp.net mvc](https://reader033.vdocuments.us/reader033/viewer/2022051313/547dbe13b37959492b8b5328/html5/thumbnails/10.jpg)
SESSION
so far: server is able to distinguish users
session: server-side bag for user data
key: previously generated identifier stored in cookie
like QB32SDXC8
value: yet another dictionary
user-specific data like name, address, etc.
security and access data like roles, privileges, etc.
forms
![Page 11: Sea surfing in asp.net mvc](https://reader033.vdocuments.us/reader033/viewer/2022051313/547dbe13b37959492b8b5328/html5/thumbnails/11.jpg)
HACK THE SYSTEM
do we want to be an authorized user?
no! we want to act like one!
to hack the system = to "steal" someone’s session
maybe "someone” is:
facebook user – we have all his private data, photos, etc.
bank user – we know how much money he has
…
admin – we can do anything
![Page 12: Sea surfing in asp.net mvc](https://reader033.vdocuments.us/reader033/viewer/2022051313/547dbe13b37959492b8b5328/html5/thumbnails/12.jpg)
SESSION HIJACKING
system/browser backdoor
steal the cookie from memory
xss
sidejacking
main-in-the middle
fixation
send user url with session id: http://example.org/?&sessionId=QB32SDXC8
wait for the user to log in
riding – our topic
![Page 13: Sea surfing in asp.net mvc](https://reader033.vdocuments.us/reader033/viewer/2022051313/547dbe13b37959492b8b5328/html5/thumbnails/13.jpg)
THE ROAD TO SESSION RIDING
we want to download data stored under http://example.org/admin/secret
let’s think:
authentication & authorization is based on session
session is based on cookies
cookies are being sent to example.org with every request
how about we prepare a website that sends request to the specified path?
![Page 14: Sea surfing in asp.net mvc](https://reader033.vdocuments.us/reader033/viewer/2022051313/547dbe13b37959492b8b5328/html5/thumbnails/14.jpg)
LET’S TRY TO GET THE ADMIN’S SECRET
![Page 15: Sea surfing in asp.net mvc](https://reader033.vdocuments.us/reader033/viewer/2022051313/547dbe13b37959492b8b5328/html5/thumbnails/15.jpg)
LET’S TRY TO GET THE ADMIN’S SECRET
what actually happened?
1. browser downloads the entire DOM tree
2. img node is being located
3. browser automatically sends GET request to download the image
but… there is no image at the end
nevertheless, browser attached all cookies dedicated to example.org
<img src="http://example.org/admin/secret" />
![Page 16: Sea surfing in asp.net mvc](https://reader033.vdocuments.us/reader033/viewer/2022051313/547dbe13b37959492b8b5328/html5/thumbnails/16.jpg)
LET’S TRY TO DO THE ADMIN’S JOB
GET shouldn’t change anything
http://example.org/admin/delete-user/?&username=admin
you’re doing it WRONG!
let’s mess up with POST / DELETE / PUT …
![Page 17: Sea surfing in asp.net mvc](https://reader033.vdocuments.us/reader033/viewer/2022051313/547dbe13b37959492b8b5328/html5/thumbnails/17.jpg)
LET’S TRY TO DO THE ADMIN’S JOB
![Page 18: Sea surfing in asp.net mvc](https://reader033.vdocuments.us/reader033/viewer/2022051313/547dbe13b37959492b8b5328/html5/thumbnails/18.jpg)
BUILDING THE FIREWALL
how browser works:
attacker is able to send cookies with the request …
… but is not able to see them!
![Page 19: Sea surfing in asp.net mvc](https://reader033.vdocuments.us/reader033/viewer/2022051313/547dbe13b37959492b8b5328/html5/thumbnails/19.jpg)
ANTI-FORGERY TOKEN – HOW IT’S MADE
2. generates über-random identifier: J723SDA
1. sends request to example.org
3. sends it back inside the form and in the cookie
AntiForgeryToken= J723SDA
<input name="_token" type="hidden"value="J723SDA" />
![Page 20: Sea surfing in asp.net mvc](https://reader033.vdocuments.us/reader033/viewer/2022051313/547dbe13b37959492b8b5328/html5/thumbnails/20.jpg)
ANTI-FORGERY TOKEN – HOW IT WORKS
1. sends request to example.org containing:
• cookie with token: J723SDA
• form value with token: J723SDA
2. validates the request:
• token in cookie is present? true
• token in form is present? true
• do they match each other? true
all true? it’s valid!
![Page 21: Sea surfing in asp.net mvc](https://reader033.vdocuments.us/reader033/viewer/2022051313/547dbe13b37959492b8b5328/html5/thumbnails/21.jpg)
ANTI-FORGERY TOKEN – HOW IT SECURES
1. sends request to example.org containing:
• cookie with token: J723SDA
• form value with token: ??????????
2. validates the request:
• token in cookie is present? true
• token in form is present? false
• do they match each other? false
all true? no! respond with 403 Forbidden
![Page 22: Sea surfing in asp.net mvc](https://reader033.vdocuments.us/reader033/viewer/2022051313/547dbe13b37959492b8b5328/html5/thumbnails/22.jpg)
DO THE TRICK IN ASP.NET MVC
![Page 23: Sea surfing in asp.net mvc](https://reader033.vdocuments.us/reader033/viewer/2022051313/547dbe13b37959492b8b5328/html5/thumbnails/23.jpg)
EVEN MORE SECURE
create a keyword based on:
action-specific and user-specific data
application, server, etc.
our keyword: "BARTEK"
hash the keyword: (0BDE667AA88E8832B61BF68C0D4E34A4) and split it:
0BDE667AA88E8832 goes into cookie
B61BF68C0D4E34A4 goes into form
on request, compute the keyword once again and validate the tokens
![Page 24: Sea surfing in asp.net mvc](https://reader033.vdocuments.us/reader033/viewer/2022051313/547dbe13b37959492b8b5328/html5/thumbnails/24.jpg)
PROBLEMS
strongly relies on browser security
doesn’t work with GET requests
is it a problem in pure, REST service?
to disable cookies = to disable all communication
site vulnerable to XSS = we’re doomed
![Page 25: Sea surfing in asp.net mvc](https://reader033.vdocuments.us/reader033/viewer/2022051313/547dbe13b37959492b8b5328/html5/thumbnails/25.jpg)
SINGLE PAGE APPS - PROBLEMS
forms are pre-generated
which form is going to be triggered next?
![Page 26: Sea surfing in asp.net mvc](https://reader033.vdocuments.us/reader033/viewer/2022051313/547dbe13b37959492b8b5328/html5/thumbnails/26.jpg)
API WRAPPER – CLIENT SIDE
write wrapper for all ajax communication (GET, POST, PUT, DELETE)
requestSettings contains method, data, etc.
ApiWrapper.prototype._SendRequest = function (requestSettings) {var self = this;requestSettings.headers["Token"] = self.Token;
return $.ajax(requestSettings).always(function (arg1, textStatus, arg2) {jqXHR = (textStatus !== "success") ? arg1 : arg2;self.Token = jqXHR.getResponseHeader("Token");document.cookie = "Token=" + self.TokenId + ";";
});};
![Page 27: Sea surfing in asp.net mvc](https://reader033.vdocuments.us/reader033/viewer/2022051313/547dbe13b37959492b8b5328/html5/thumbnails/27.jpg)
API WRAPPER – SERVER SIDE
keep tokens in cache/database
nosql
custom ValidateAntiForgeryTokenAttribute
validates token from cookie and header
updating token if necessary
![Page 28: Sea surfing in asp.net mvc](https://reader033.vdocuments.us/reader033/viewer/2022051313/547dbe13b37959492b8b5328/html5/thumbnails/28.jpg)
API WRAPPER - USAGE
write wrapper for all ajax communication (GET, POST, PUT, DELETE)
return jqXHR from all functions
api.Get('customers/' + customerId).success(function (data) {
self.Customer(data);});
api.Post('customers/' + customerId, editedData).success(function () {
message.ReportSuccess();});
![Page 29: Sea surfing in asp.net mvc](https://reader033.vdocuments.us/reader033/viewer/2022051313/547dbe13b37959492b8b5328/html5/thumbnails/29.jpg)
SEA-SURFING IN ASP.NET MVC
QUESTIONS-SURFING
Fiddler: http://www.telerik.com/fiddler
Icons: http://www.visualpharm.com/
BARTOSZ LENAR
@bartoszlenar