This document discusses cross-site request forgery (CSRF) and how to prevent it. It begins by explaining what CSRF is, how it exploits user authentication to make requests on a victim's behalf. It then demonstrates CSRF by having the user unknowingly click a link to perform actions on another site they are logged into. The document discusses how GET requests, POSTs, and JavaScript can all enable CSRF. It recommends making requests unique and non-repeatable to prevent CSRF. For web forms, it suggests using viewstate tied to session ID, and for MVC using anti-forgery tokens from both cookie and form values. Code demos are provided for CSRF prevention in web forms and M
1. SEA SURFING
HOW VULNERABLE IS MY WEB APPLICATION
FROM A DEVELOPER’S ANGLE…
Dilan Warnakulasooriya Asanka Fernandopulle
Information Security Engineer Senior Software Engineer
99X Technology 99X Technology
2. What is it?
Cross Site Request Forgery – Sea Surrrrrfff
Attacker exploits the fact that the victim is authenticated to
a website
Identifying the attacker can be difficult
What can it do?
Proxy requests/commands for the attacker from the victim’s
browser
Even POSTS can be forged as GET requests in some
cases
Web forms One Click Demo in module
January 1, 2013 99X Technology(c) 2
3. How it is exploited?
Can be very simple – Image link in email, script on a blog,
simple link
Attackers gets user to
Click a specially crafted link (or inject JavaScript to a site victim visits)
Execute a request (can be very simple as requesting an image url in email)
Innocently browsing a web site
Can users include hrefs or Image links to your site? Link to bad url
Ever click “view images” in an email?
All browsers happily send over credentials if already
logged on
If already logged in (forms auth) the cookie is sent over even for an
image request
Some are invisible! IE default setting
January 1, 2013 99X Technology(c) 3
4. CSRF – HOW IT IS EXPLOITED?
DEMO
January 1, 2013 99X Technology(c) 4
5. CSRF – HOW IT IS EXPLOITED?
DEMO – Repeatability is the key
January 1, 2013 99X Technology(c) 5
6. CSRF – HOW IT IS EXPLOITED?
DEMO – Piggyback with some other attack like XSS
January 1, 2013 99X Technology(c) 6
7. CSRF – POSTs protect me
They do, don’t they? Don’t they? Hello?
MVC CSRF via XSS
Web Forms One Click attack
Page.IsPostBack doesn’t always tell the truth
A button click doesn’t always mean someone click the button
January 1, 2013 99X Technology(c) 7
8. How do you prevent it?
All Web Apps
Ensure GET only retrieves a resource (as per HTTP Spec)
No state is modified
POSTS/PUT/DELETE can be forged, must take additional precautions
Try to make requests unique and non-repeatable
Web forms specific
ViewStateUserKey = Session.SessionId
ViewState then acts as a form token
Must protect the Session Ids(Using Encryption, Hashing)
Pages inherit from the base web page
SSL to prevent sniffing of ViewState & SessionId
MVC Specific
Anti-Forgery token uses form value AND cookie value
SSL to prevent from sniffing Anti-Forgery token
January 1, 2013 99X Technology(c) 8
9. Web Forms – CSRF Prevention
DEMO
January 1, 2013 99X Technology(c) 9