2. About Me
Paulius Leščinskas
Pod owner @ Adform
http://lescinskas.lt
Paulius.Lescinskas@gmail.com
@lescinskas
https://www.linkedin.com/in/pluton
3. Cross-site request forgery
(CSRF)
A CSRF attack forces a logged-on victim’s browser to send a forged HTTP request, including the
victim’s session cookie and any other automatically included authentication information, to a
vulnerable web application. This allows the attacker to force the victim’s browser to generate
requests the vulnerable application thinks are legitimate requests from the victim.
Thank you http://www.seclab.cs.sunysb.edu/seclab/jcsrf/ for the image.
4. Cross-site request forgery
(CSRF)
Typical impact:
• Initiate transactions (modify data)
• Access sensitive data
Prerequisite: victim MUST be logged-in to the target system.
Typical example:
<img src="http://example.com/app/transferFunds?
amount=1500&destinationAccount=attackersAcct#" width="0" height="0" />
8. Cross-site request forgery
(CSRF)
The same data will be sent differently as raw HTTP body. I.e.:
Name: John Doe
Text: 1 + 2 = 3
• Via HTML form (application/x-www-form-urlencoded):
Name=John+Doe&Text=1+%2B+2+%3D+3
• Using RESTful Web API formatted as JSON:
{"Text": "John Doe", "Text": "1 + 2 = 3"}
10. Cross-site request forgery
(CSRF)
All HTTP methods (GET/POST/PUT/PATCH/DELETE ...) with any data encoding can be called using Javascript
(XmlHttpRequest aka XHR aka Ajax), if your Cross-origin resource sharing (CORS) headers allow you to call
XHR from any location:
OPTIONS /foo/bar
Host: example.com
Origin: http://foo.com
Vulnerable if:
Access-Control-Allow-Origin: *
jQuery example:
$.ajax({
url: 'http://example.com/foo/bar',
type: 'DELETE',
data: {"id": 1}
success: function(result) {
// Do something with the result
}
});
12. Cross-site request forgery
(CSRF)
Example 4 (any HTTP-based request using ActionScript):
import flash.net.URLRequest;
import flash.net.URLVariables;
import flash.net.URLRequestMethod;
import flash.net.URLRequestHeader;
import flash.net.URLLoader;
var loader:URLLoader = new URLLoader();
var req:URLRequest = new URLRequest("http://www.example.com/deleteUser");
var header:URLRequestHeader = new URLRequestHeader("Origin", "http://www.test.com"); // Setting Origin
header valid until Flash 9 somewhat
req.requestHeaders.push(header);
req.method = URLRequestMethod.DELETE;
req.contentType = 'application/json';
req.data = '{"id": 1}';
loader.load(req);
13. Cross-site request forgery
(CSRF)
... valid if example.com has crossdomain.xml like:
<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="*" secure="false" />
</cross-domain-policy>
9/10 Lithuanian TOP10 websites has such crossdomain.xml
…mostly to load assets from flash-based banner ads.
... also, you can access ActionScript objects, functions and properties from the
SWF file, hosted on other domain, if this file has Security.allowDomain("*");
(Cross-scripting)
14. Cross-site request forgery
(CSRF)
Countermeasures
●
Synchronizer token pattern!
●
Check Origin header
●
Appropriate CORS headers
●
Appropriate crossdomain.xml rules
●
Short-living sessions (only reduces likelihood)
Very hard (impossible?) to prevent CSRF is website has XSS vulnerabilities
https://en.wikipedia.org/wiki/Cross-origin_resource_sharing
http://www.adobe.com/devnet/adobe-media-server/articles/cross-domain-xml-for-streaming.html
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet
18. ClickJacking
Countermeasures
Framebusting: X-Frame-Options (XFO) response HTTP header or meta http-equiv
tag
X-Frame-Options: DENY (disallows page to be loaded in IFRAME)
X-Frame-Options: SAMEORIGIN (allows page to loaded in IFRAME from same origin)
X-Frame-Options: ALLOW-FROM https://trusted.domain (allows page to be loaded from
specific origins; unsupported by Chrome and Safari!)
Worldwide usage:
Facebook: DENY, Twitter: SAMEORIGIN, Github: DENY, 60% of Alexa Top 10 use framebusting...
https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet (+more defense techniques)
https://www.owasp.org/index.php/Testing_for_Clickjacking_(OTG-CLIENT-009)
https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options