Cross Site Request Forgery - CSRF - Benoist · Cross Site Request Forgery Not a new attack, but...

Cross Site RequestForgery - CSRF

Emmanuel BenoistFall Term 2019/2020

Berner Fachhochschule | Haute ecole specialisee bernoise | Berne University of Applied Sciences 1

Table of Contents� Cross Site Request Forgery

Widespead vulnerabilityVulnerability?

� Attacks using CSRFMeans to reach victimsIntranet as natural victimCombination XSS and CSRF

� Examples of attackAttack: intranet from inside

� Protection that does not workAccepting POST only

� ProtectionCustom tockenCSRF prevention without a synchronizer token


Cross Site Request Forgery


Cross Site Request Forgery

Not a new attack, but simple and devastating

CSRF attack forces a logged-on victim’s browser to senda request to a vulnerable web application

Target: Perform the chosen action on behalf of thevictim


Sending a request without theconsent of the victim?

Insert an image in a HTML file

<img src="http://www.benoist.ch/image/test.gif">

Browser: Downloads an image

GET /image/test.gif HTTP/1.1

...

An image can be generated by a PHP program (or anyprogram)

<img src="http://www.benoist.ch/image/test.php">



Sending a request? (Cont.)

An image can be generated according to someparameters

<img src="/barcode.php?number=12345678901">


An image tag can contain something else

<img src="http://www.benoist.ch/index.php?action↘

→=logout">

Browser ?????


Widespead vulnerability


Widespread vulnerabilityTouches any web application that

has no authorization checks for vulnerable actions

will process an action if a default login is able to begiven in the request

<img src=

"http://www.benoist.ch/doSomething?user=admin&pwd=↘

→admin">

Authorizes requests based only on credentials that areautomatically submitted

cookies if currently logged into the applicationor “Remember me” functionality if not logged into theapplicationor a Kerberos token if part of an Intranet participating inintegrated logon with Active Directory.


State of the art

Most of web applications rely solely on automaticallysubmitted credentials

cookiesbasic authentication credentialssource IP addressesSSL certificatesor windows domain credentials

Vulnerability also known asSession Riding, One-Click Attacks, Cross Site ReferenceForgery, Hostile Linking, and Automation AttackAcronym XSRF is also used together with CSRF


Vulnerability?


VulnerabilityA typical CSRF attack directs the user to invoke somefunction

for instance application’s logout page

The following tag can be inserted in any page viewed bythe victim

<img src="http://www.benoist.ch/logout.php">

it generates the same request as clicking on a link containingthis address!

Example: Online banking transfer

<img src="http://www.mybank.de/transfer.do?

fromAccount=document.form.frmAcct&

toAccount=4567890&amount=3434.43">

Could transfer the money from the account of the user, to agiven account.


Attacks using CSRF


Means to reach victims


How such a link could reach a victim

Web-site Owner embedded JavaScript malware

Web page defaced with embedded JavaScript malware

JavaScript Malware injected into a public area of awebsite. (persistent XSS)

Clicked on, a specially-crafted link causing the websiteto echo JavaScript malware. (non-persistent XSS)


Intranet as natural victim


CSRF allows to access the intranet

The attacker sends requests from inside the IntranetDoesn’t have to go throw the firewall, the victim is already

CSRF combined with javascript allows to send manyrequests sequentially

javascript adds an image in the DOM (possibly invisible).when the request is sent, another image is addedand so on


Internet is protected, but Intranet?

You would never dare doing this on Internet! But whatabout Intranet?

Leaving hosts unpatchedServers are always patched regularly, but local PC’s?

Using default passwordsWhat the use of changing the password, the IP address canonly be reached from inside my network192.168.x.y

Do not putting a firewall in front of a host

Everything seams OK because the perimeter firewallsblack external access

So CSRF attacks can be very fruitful


Why do CSRF attacks work?

User authorization credential is automatically included inany request by the browse

Typical: Session Cookie

The Attacker doesn’t need to supply that credentialIt belongs to the victim’s browser

Success of CSRF belongs on the probability that thevictim is logged in the attacked system

Idea: attack the site the victim visitsMean : XSS


Combination XSS and CSRF


CSRF and XSS

Combine CSRF and XSSThe tag is already posted inside the vulnerable application

Risk is increased by that combinationProbability to find a logged in user is higher

CSRF does not require XSSOne can attack a site from another one

Any application with XSS flaws is susceptible to CSRFCSRF attacks can exploit the XSS flaw to steal anynon-automatically submitted credential

When building defenses against CSRF attacks, you musteliminate XSS vulnerabilities


Examples of attack


Attack: intranet from inside


Vulnerability (Cont.)

Jeremiah Grossman1 Succeeded in making changes invictims DSL routers

Even if the user doesn’t know that he can configure hisrouter ;-)

He used the router’s default account name to performhis attack Example

<img src="http://admin:[email protected]/">

Then you just have to reconfigure the system

<img src="http://192.168.1.1/changeDNS?newDNS↘

→=143.23.45.1">

Once DNS changed, user will never be able to access asite securely!

1Talk in Blackhat 2006 : “Hacking Intranet Sites from the outside”Berner Fachhochschule | Haute ecole specialisee bernoise | Berne University of Applied Sciences 23

Details of attack2

Javascript Port Scaning<script src="http://192.168.1.100/"></script>

If a web server is listening: HTML will be returned, causing aJS interpreter error:Solution: Capture the Error!(<script ... onerror="myfunction()">)

Javascript can loop on all the possible IP addresses fornearby hosts:

Scanning of the hosts

2Hacking Intranet Sites from the outside, Jeremiah GrossmanBerner Fachhochschule | Haute ecole specialisee bernoise | Berne University of Applied Sciences 24

Details of attack (Cont.)

Recognize the server?Use a URL that is unique for each serverApache Web Server: /icons/apache_pb.gif

HP Printer: /hp/device/hp_invent_logo.gif

PHP Image Easter eggs:/?=PHPE9568F36-D428-11d2-A769-00AA001ACF42

Cycle through unique URL’s using Image DOM objects

<img src="http://192.168.1.100/unique_image_url"

onerror="fingerprint()" />

If onerror event DOES NOT execute, then it’s the associatedplatform!


/icons/apache_pb.gif

/hp/device/hp_invent_logo.gif

/?=PHPE9568F36-D428-11d2-A769-00AA001ACF42

Details of attack (Cont.)Login

If already authenticated: nothing to do, access is automaticif not: http://admin:[email protected]/

Execute commandSuppose we have the following POST form

<form action="changePwd.php" method="POST">

new password <input type="password" name="newpwd"↘

→>

retype new password <input type="password" name="↘

→newpwd2">

<input type="submit" value="send">

</form>

We can forge a URL (GET) faking this POST form

<img src="changePwd.php?newpwd=Toto&newpwd2=Toto↘

→">

It is also possible to generate a POST using JavaScriptBerner Fachhochschule | Haute ecole specialisee bernoise | Berne University of Applied Sciences 26

http://admin:[email protected]/

Possible targets in a LAN (Intranet)

Web enabled devices:Printer, webcam, Phone over IP, WLan access points, switch,ADSL router, etc.

Attack on routerChange config passwordUpdate DNS=> Man in the middle attack


Protection that does not work


Accepting POST only


Solution: Only accept POST requests

Since GET requests are easy to generateRequires only a <img> or <script> tagGenerates a valide GET requestCan contain all the required parameters

Idea: block any GET requestAccept only POST requestsEasy tags do not work anymore

DOES NOT WORK!

POST requests can be generatedContain also automatic credentialsProtection is useless!


Attack a page using a POST form

We want to provide a Logout for the school intranet web site

The logout is done using a form.The button on the form sends a POST request

Source of https://intranet.ti.bfh.ch/index.php?id=4117&L=1

<form action="index.php?id=4117&L=1" target="_top" method="post" style="margin: 0 0 0 0;">

<table border="0">

<tr>

<td><p class="tx-newloginbox-pi1-username">Nom d utilisateur:</p></td>

<td><p><strong>bie1</strong>, Benoist</p></td>

</tr>

<tr>

<td></td>

<td><input type="submit" name="submit"

id="tx-newloginbox-pi1-logout_submit"

value="Deconnexion"

class="tx-newloginbox-pi1-submit" />

<input type="hidden" name="logintype" value="logout" />

<input type="hidden" name="pid" value="4119" />

</td>

</tr>

</table>

</form>


https://intranet.ti.bfh.ch/index.php?id=4117&L=1

Principles of the attack

The user visits another pagesuppose it is www.evil.com/mypage.html

It can be any page on the web

The page contains an invisible iFrame

The content can not be viewedThe iFrame contains a page on the web site evil.com

The javascript on mypage.html can communicate withthe iFrame

They are from the same site: same origine policy applies

The iFrame contains the same login form as the schoollogout page

JavaScript forces the iFrame to submit the form to the schoolsite.


www.evil.com/mypage.html

The main page

Source for www.evil.com/mypage.html 3

<h2>Logout out of the intranet of the School</h2>

<iframe id="testIFrameLogout" src="iFrameLogout.html↘

→"></iframe>

<br />

<button onclick="document.getElementById(’↘

→testIFrameLogout’).contentWindow.submitForm()">

Submit form

</button>

3In a real example, the submitForm() is executed automaticallyBerner Fachhochschule | Haute ecole specialisee bernoise | Berne University of Applied Sciences 33

www.evil.com/mypage.html

iFrame contentSource for www.evil.com/iFrameLogout.html

<h1>Test For Logout</h1>

<form id="foo"

action="https://intranet.ti.bfh.ch/index.php?id=4117↘

→" method="POST">

<input type="submit" name="submit2"

id="tx-newloginbox-pi1-logout_submit"

value="Deconnexion" class="tx-newloginbox↘

→-pi1-submit" />

<input type="hidden" name="logintype" value="↘

→logout" />

<input type="hidden" name="pid" value="4119" />

</form>


www.evil.com/iFrameLogout.html

Protection


Custom tocken


Protection

Application must ensure that they are not only relyingon credentials or tokens that are automaticallysubmitted by browsers

Session CookiesCertificatesRemember me. . .

Application should use a custom token that the browserwill not “Remember”

So it can not be included in the Requests sent automatically


StrategiesEnsure that there are no XSS vulnerabilities in yourapplication

Otherwise, any protection is useless, since javascript couldaccess the hidden data.

Insert custom random tokens into every form and URLIt will not be automatically submitted by the browserExample:

<form action="/transfer.do" method="POST">

<input type="hidden" name="383838" value="↘

→1234323433">

...

</form>

Then you have to verify that tokenToken can be unique for a session or even for each pageThe more focused the token is, the higher the security is, butthe application is then much more complicated to write


Strategies (Cont.)

For sensitive data or value transactions, re-authenticateor use transaction signing

to ensure that the request is genuine.Set up external mechanism to verify requests (phone, e-mail)Notify the user of the request using an e-mail

Do not use GET requests for sensitive data or toperform value transactions

Use only POST methods when processing sensitive data fromthe user.However the URL may contain the random token as thiscreates a unique URL, which makes CSRF almost impossibleto perform

POST alone is an insufficient protectionYou must also combine it with random tokens


Protect your token

Disclosure of Token in URLIf you include token in GET requests (i.e. URL)It mitigates the risk of CSRF attacksBut the unique per session token is exposed

Exposition of URL’sBrowser historyHTTP log filesnetwork appliance loging the first line of HTTP requestsURL-Referer is transfered to third parties

Third party knowing the tokenCSRF is trivial to be launchedCan target the attack effectively (referer tells the user isvisiting the site)Can run entirely in JavaScriptJust need a JavaScript call in the page.


Protect your token (Cont.)

PreventionReferer is omitted if origin of the request is HTTPSSolution: make web site HTTPS onlyOr use only POST methods for sensitive actionsDo not include CSRF token in GET requests


Double Submit Cookies

Send a random value in both cookie and requestparameter

The value is stored as a cookieIt is included as hidden parameter in all formsNo need to store the value on the server

Server verifies: cookie = received value in form

The attackerCan modify the form parameterCan neither read nor modify the cookie

Attacker can not submit both elements at the same time

Solution adopted by Java Library Direct Web Remoting(DWR)


Encrypted token patternServer generates a token

Placed in all forms as a hidden fieldNot stored on the server

Token containsUser’s IDtimestampnonceEncrypt the information with a symetric key (only known bythe server)

Token is included in all the requestsAJAX requests will send the information in the URLNon AJAX requests will include information as a hidden field

On receipt of the tokenServer checks the values stored in the tokenUser’s IDtimestamp (agains replay attacks).


CSRF prevention without asynchronizer token


Checking the referer headerTrivial to spoof referer header

But only on your own browserimpossible to do so in a CSRF attackSolution commonly used with unauthenticated requests (beforelogin)

Weak protection against CSRFOpen redirect vulnerabilities can be used to exploit GET-basedrequestsSome organisations (or browsers) may remove Referer fromrequests (privacy protection).

Common implementation mistakesIf attacks originates from an https server: Referer is omittedLack of referer : marks an attack (at least of state changingfunctions)

Referer could be lightly manipulatedIf victim site is site.com

Attacker could send requests from site.com.attacker.com

Could fool easy testings


site.com

site.com.attacker.com

Challenge-Response

CaptchaGenerate an imageVerify that a human sees the image and interprets itCan not be automatic in CSRF

Re-Authentication (password)Necessary for very sensitive actionsChange password for instanceVery user-unfriendly

One-time tokenToken is changed with each request


Mitigating risks from the user’s pointof view

Logoff immediately after using a Web application

Do not allow browser to save username/passwords

Do not use the same browser to access sensitiveapplications and to surf the internet

Tabbed browsing

Plugins like “No-Script” makes POST based CSRFdifficult to exploit

JavaScript is used to automatically submit the form when theexploit is loadedWithout JavaScript, the attacker must trick the user to do somanually


Conclusion

Cross Site Request Forgery - CSRFExploits the trust the site has in a userby forging the enactor and making a request appear to comefrom a trusted user4

The server receives some requests from the user and think itwas sent on prupose.

4wikipediaBerner Fachhochschule | Haute ecole specialisee bernoise | Berne University of Applied Sciences 48

ReferencesOWASP Top 10 - 2010http://www.owasp.org/index.php/Category:

OWASP_Top_Ten_Project

A Guide for Building Secure Web Applications and WebServiceshttp://www.owasp.org/index.php/Category:

OWASP_Guide_Project

Hacking Intranet Sites from the outside, JeremiahGrossman, BlackHat 2006http://www.whitehatsec.com/presentations/

whitehat_bh_pres_08032006.tar.gz

RSnake, “What is CSRF?”http://ha.ckers.org/blog/20061030/what-is-csrf/

OWASP CSRF Prevention Cheat Sheethttps://www.owasp.org/index.php/Cross-Site_

Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet


http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

http://www.owasp.org/index.php/Category:OWASP_Guide_Project

http://www.owasp.org/index.php/Category:OWASP_Guide_Project

http://www.whitehatsec.com/presentations/whitehat_bh_pres_08032006.tar.gz

http://www.whitehatsec.com/presentations/whitehat_bh_pres_08032006.tar.gz

http://ha.ckers.org/blog/20061030/what-is-csrf/

https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet

https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet

Date post:	21-Mar-2020
Category:	Documents
Upload:	others
View:	10 times
Download:	1 times

Cross Site Request Forgery - CSRF - Benoist · Cross Site Request Forgery Not a new attack, but...

Documents