• No results found

Lab_7_CSRF_theory_csrf.pdf

N/A
N/A
Info
Download
Protected

Academic year: 2020

Share "Lab_7_CSRF_theory_csrf.pdf"

Copied!
64
0
0

Loading.... (view fulltext now)

Download now ( 64 Page )

Full text

(1)

Attack taxonomy

Biniam F. Demissie

Security & Trust Research Unit

Fondazione Bruno Kessler

Trento, Italy

(2)

Cross Site Request

Forgery

“…

is a type of attack that occurs when a malicious web

(3)

Cross Site Request

Forgery

“…

is a type of attack that occurs when a malicious web

site, email, blog, instant message, or program causes a

user's web browser to perform an unwanted action on a

trusted site when the user is authenticated.”

(4)

Cross Site Request

Forgery

”…

is a type of attack that occurs when

a malicious web

site, email, blog, instant message, or program

causes a

(5)

Cross Site Request

Forgery

”…

is a type of attack that occurs when a malicious web

(6)

Cross Site Request

Forgery

”…

is a type of attack that occurs when a malicious web

(7)

Cross Site Request

Forgery

”…

is a type of attack that occurs when a malicious web

site, email, blog, instant message, or program causes a

user's web browser to perform an unwanted action on a

(8)

Cross Site Request

Forgery

(9)

Cross Site Request

Forgery

(10)

Cross Site Request

Forgery

(11)

Cross Site Request

Forgery

(12)

Cross Site Request

Forgery

(13)

Cross Site Request

Forgery

(14)

Cross Site Request

Forgery

(15)

Cross Site Request

Forgery

Eve wants to make Alice

transfer money to her

(16)

Cross Site Request

Forgery

Alice

(17)

Cross Site Request

Forgery

Alice

(18)

Cross Site Request

Forgery

Alice

https://mybank.com/transferFunds

(19)

Cross Site Request

Forgery

Alice

https://mybank.com/transferFunds

100 123

GET /transferFunds?amount=100&accountID=123 HTTP/1.1 Host: mybank.com

(20)

Cross Site Request

Forgery

Alice https://mybank.com/transferFunds <?php session_start();

if (isset($_SESSION)) {

// check auth cookie & handle transfer

}

?>

100 123

GET /transferFunds?amount=100&accountID=123 HTTP/1.1 Host: mybank.com

(21)

Cross Site Request

Forgery

Alice https://mybank.com/transferFunds <?php session_start();

if (isset($_SESSION)) {

// check auth cookie & handle transfer

}

?>

100 123

GET /transferFunds?amount=100&accountID=123 HTTP/1.1 Host: mybank.com

(22)

Cross Site Request

Forgery

Alice https://mybank.com/transferFunds <?php session_start();

if (isset($_SESSION)) {

// check auth cookie & handle transfer

}

?>

100 123

GET /transferFunds?amount=100&accountID=123 HTTP/1.1 Host: mybank.com

(23)

Cross Site Request

Forgery

Eve

(24)

Cross Site Request

Forgery

Eve

(25)

Cross Site Request

Forgery

Eve

100 123

(26)

Cross Site Request

Forgery

Eve

100 123

GET /transferFunds?amount=100&accountID=123 HTTP/1.1 Host: mybank.com

Cookie: <alice auth/session id ???>

(27)

Cross Site Request

Forgery

Eve

<?php

session_start();

if (isset($_SESSION)) {

// transfer will not happen because Eve does not have Alice’s

auth/session cookies

}

100 123

GET /transferFunds?amount=100&accountID=123 HTTP/1.1 Host: mybank.com

Cookie: <alice auth/session id ???>

(28)

Cross Site Request

Forgery

Eve

<?php

session_start();

if (isset($_SESSION)) {

// transfer will not happen because Eve does not have Alice’s

auth/session cookies

}

100 123

GET /transferFunds?amount=100&accountID=123 HTTP/1.1 Host: mybank.com

Cookie: <alice auth/session id ???>

(29)

Cross Site Request

Forgery

Eve

<?php

session_start();

if (isset($_SESSION)) {

// transfer will not happen because Eve does not have Alice’s

auth/session cookies

}

100 123

GET /transferFunds?amount=100&accountID=123 HTTP/1.1 Host: mybank.com

Cookie: <alice auth/session id ???>

(30)

Cross Site Request

Forgery

Alice

<!DOCTYPEhtml> <html>

<header>

<title>Download New Movies</title> </header>

<body>

<img src="https://mybank.com/transferFunds?amount=100&accountID=123" />

(31)

Cross Site Request

Forgery

Alice

<!DOCTYPEhtml> <html>

<header>

<title>Download New Movies</title> </header>

<body>

<img src="https://mybank.com/transferFunds?amount=100&accountID=123" />

(32)

Cross Site Request

Forgery

Alice

<!DOCTYPEhtml> <html>

<header>

<title>Download New Movies</title> </header>

<body>

<img src="https://mybank.com/transferFunds?amount=100&accountID=123" />

<h2>List of movies</h2>

GET /transferFunds?amount=100&accountID=123 HTTP/1.1 Host: mybank.com

(33)

Cross Site Request

Forgery

Alice

<!DOCTYPEhtml> <html>

<header>

<title>Download New Movies</title> </header>

<body>

<img src="https://mybank.com/transferFunds?amount=100&accountID=123" />

<h2>List of movies</h2>

GET /transferFunds?amount=100&accountID=123 HTTP/1.1 Host: mybank.com

(34)

Summary

(35)

Summary

Problem: an attacker makes a user perform a sensitive action on a trusted website where he/she is authenticated to.

• Example of sensitive actions

o /login.aspx

o /delete_user.php

(36)

Summary

Problem: an attacker makes a user perform a sensitive action on a trusted website where he/she is authenticated to.

• Example of sensitive actions

o /login.aspx

o /delete_user.php

o /UpdateStatus/

• Make user perform sensitive action

(37)

Fixing CSRF

• Make sensitive action requests unique by attaching

unpredictable request identifiers (nonce, one time token)

• Use reCAPTCHAs to complete actions

(38)

Fixing CSRF

• Using nonce/one time token

Alice

<!DOCTYPEhtml> <html>

<header>

<title>Download New Movies</title> </header>

<body>

<img src="https://mybank.com/transferFunds?amount=100&accountID=123" />

<h2>List of movies</h2>

GET /transferFunds?amount=100&accountID=123 HTTP/1.1 Host: mybank.com

(39)

Fixing CSRF

• Using nonce/one time token

Alice

<!DOCTYPEhtml> <html>

<header>

<title>Download New Movies</title> </header>

<body>

<img src="https://mybank.com/transferFunds?amount=100&accountID=123" />

<h2>List of movies</h2>

GET /transferFunds?amount=100&accountID=123 HTTP/1.1 Host: mybank.com

(40)

Fixing CSRF

• Using nonce/one time token

Alice

<!DOCTYPEhtml> <html>

<header>

<title>Download New Movies</title> </header>

<body>

<img src="https://mybank.com/transferFunds?amount=100&accountID=123" />

<h2>List of movies</h2>

GET /transferFunds?amount=100&accountID=123 HTTP/1.1 Host: mybank.com

Cookie: <alice auth/session id>

(41)

Fixing CSRF

• Using nonce/one time token

Alice

<!DOCTYPEhtml> <html>

<header>

<title>Download New Movies</title> </header>

<body>

<img src="https://mybank.com/transferFunds?amount=100&accountID=123" />

<h2>List of movies</h2>

GET /transferFunds?amount=100&accountID=123 HTTP/1.1 Host: mybank.com

Cookie: <alice auth/session id>

<input type="hidden" name="csrf_token" value=“UNIQUE_CSRF_TOKEN" />

(42)

Fixing CSRF

• Using nonce/one time token

Alice

<!DOCTYPEhtml> <html>

<header>

<title>Download New Movies</title> </header>

<body>

<img src="https://mybank.com/transferFunds?amount=100&accountID=123" />

<h2>List of movies</h2>

GET /transferFunds?amount=100&accountID=123 HTTP/1.1 Host: mybank.com

Cookie: <alice auth/session id>

<input type="hidden" name="csrf_token" value=“UNIQUE_CSRF_TOKEN" />

100 123

(43)

Fixing CSRF

• Using nonce/one time token

Alice

<!DOCTYPEhtml> <html>

<header>

<title>Download New Movies</title> </header>

<body>

<img src="https://mybank.com/transferFunds?amount=100&accountID=123" />

<h2>List of movies</h2>

GET /transferFunds?amount=100&accountID=123 HTTP/1.1 Host: mybank.com

Cookie: <alice auth/session id>

&csrf_token=UNIQUE_CSRF_TOKEN

<input type="hidden" name="csrf_token" value=“UNIQUE_CSRF_TOKEN" />

100 123

(44)

Fixing CSRF

(45)

Fixing CSRF

• Using nonce/one time token (setting nonce)

<?php

session_start();

if (empty($_SESSION['csrf_token'])) {

$_SESSION['csrf_token'] = bin2hex(random_bytes(32)); }

$csrf_token =$_SESSION['csrf_token'];

?>

<!DOCTYPE html> <html>

<header><title>My account</title></header> <body>

<form>

...

<input type="hidden" name="csrf_token" value="<?phpecho $csrf_token; ?>"/>

(46)

Fixing CSRF

• Using nonce/one time token (setting nonce)

<?php

session_start();

if (empty($_SESSION['csrf_token'])) {

$_SESSION['csrf_token'] = bin2hex(random_bytes(32)); }

$csrf_token =$_SESSION['csrf_token'];

?>

<!DOCTYPE html> <html>

<header><title>My account</title></header> <body>

<form>

...

<input type="hidden" name="csrf_token" value="<?phpecho $csrf_token; ?>"/>

(47)

Fixing CSRF

• Using nonce/one time token (setting nonce)

<?php

session_start();

if (empty($_SESSION['csrf_token'])) {

$_SESSION['csrf_token'] = bin2hex(random_bytes(32)); }

$csrf_token =$_SESSION['csrf_token'];

?>

<!DOCTYPE html> <html>

<header><title>My account</title></header> <body>

<form>

...

<input type="hidden" name="csrf_token" value="<?phpecho $csrf_token; ?>"/>

(48)

Fixing CSRF

• Using nonce/one time token (setting nonce)

<?php

session_start();

if (empty($_SESSION['csrf_token'])) {

$_SESSION['csrf_token'] = bin2hex(random_bytes(32)); }

$csrf_token =$_SESSION['csrf_token'];

?>

<!DOCTYPE html> <html>

<header><title>My account</title></header> <body>

<form>

...

<input type="hidden" name="csrf_token" value="<?phpecho $csrf_token; ?>"/>

(49)

Fixing CSRF

• Using nonce/one time token (setting nonce)

<?php

session_start();

if (empty($_SESSION['csrf_token'])) {

$_SESSION['csrf_token'] = bin2hex(random_bytes(32)); }

$csrf_token =$_SESSION['csrf_token'];

?>

<!DOCTYPE html> <html>

<header><title>My account</title></header> <body>

<form>

...

<input type="hidden" name="csrf_token" value="<?phpecho $csrf_token; ?>"/>

(50)

Fixing CSRF

• Using nonce/one time token (setting nonce)

<?php

session_start();

if (empty($_SESSION['csrf_token'])) {

$_SESSION['csrf_token'] = bin2hex(random_bytes(32)); }

$csrf_token =$_SESSION['csrf_token'];

?>

<!DOCTYPE html> <html>

<header><title>My account</title></header> <body>

<form>

...

<input type="hidden" name="csrf_token" value="<?phpecho $csrf_token; ?>"/>

(51)

Fixing CSRF

(52)

Fixing CSRF

• Using nonce/one time token (checking nonce)

<?php

session_start();

$csrf_token =$_SESSION['csrf_token'];

// or $token = $_POST['csrf_token'];

if (!empty($_GET['csrf_token'])) {

$token =$_GET['csrf_token'];

if(hash_equals($csrf_token, $token)) {

// all ok, proceed processing data

}else{

// possible csrf attack

(53)

Fixing CSRF

• Using nonce/one time token (checking nonce)

<?php

session_start();

$csrf_token =$_SESSION['csrf_token'];

// or $token = $_POST['csrf_token'];

if (!empty($_GET['csrf_token'])) {

$token =$_GET['csrf_token'];

if(hash_equals($csrf_token, $token)) {

// all ok, proceed processing data

}else{

// possible csrf attack

(54)

Fixing CSRF

• Using nonce/one time token (checking nonce)

<?php

session_start();

$csrf_token =$_SESSION['csrf_token'];

// or $token = $_POST['csrf_token'];

if (!empty($_GET['csrf_token'])) {

$token =$_GET['csrf_token'];

if(hash_equals($csrf_token, $token)) {

// all ok, proceed processing data

}else{

// possible csrf attack

(55)

Fixing CSRF

• Using nonce/one time token (checking nonce)

<?php

session_start();

$csrf_token =$_SESSION['csrf_token'];

// or $token = $_POST['csrf_token'];

if (!empty($_GET['csrf_token'])) {

$token =$_GET['csrf_token'];

if(hash_equals($csrf_token, $token)) {

// all ok, proceed processing data

}else{

// possible csrf attack

(56)

Fixing CSRF

• Using nonce/one time token (checking nonce)

<?php

session_start();

$csrf_token =$_SESSION['csrf_token'];

// or $token = $_POST['csrf_token'];

if (!empty($_GET['csrf_token'])) {

$token =$_GET['csrf_token'];

if(hash_equals($csrf_token, $token)) {

// all ok, proceed processing data

}else{

// possible csrf attack

(57)

Fixing CSRF

• Using nonce/one time token (checking nonce)

<?php

session_start();

$csrf_token =$_SESSION['csrf_token'];

// or $token = $_POST['csrf_token'];

if (!empty($_GET['csrf_token'])) {

$token =$_GET['csrf_token'];

if(hash_equals($csrf_token, $token)) {

// all ok, proceed processing data

}else{

// possible csrf attack

(58)

Fixing CSRF

• Using nonce/one time token (checking nonce)

<?php

session_start();

$csrf_token =$_SESSION['csrf_token'];

// or $token = $_POST['csrf_token'];

if (!empty($_GET['csrf_token'])) {

$token =$_GET['csrf_token'];

if(hash_equals($csrf_token, $token)) {

// all ok, proceed processing data

}else{

// possible csrf attack

(59)

Fixing CSRF

(60)

Fixing CSRF

• Use reCAPTCHAs to complete sensitive actions

(61)

Fixing CSRF

• Use reCAPTCHAs to complete sensitive actions

• The user has to first click on I’m not a robot and solve CAPTCHA

(62)

Fixing CSRF

(63)

Fixing CSRF

(64)

Summary

• Make sensitive actions requests unique by attaching

unpredictable request identifiers (nonce, one time token)

• Use reCAPTCHAs to complete actions

• Prompt authentication to complete sensitive action

References

Download now ( PDF - 64 Page - 2.36 MB )

Outline

Fixing CSRF

Related documents

Molecular etiology of grapevine leafroll disease: role of the viral silencing suppressors

Chapter 2: Five phylogenetic groups identified in the coat protein gene of Grapevine leafroll- associated virus 3 obtained from Portuguese grapevine varieties .... Material

The long and the short of memory. Neuropsychological studies on the interaction of working memory and long-term memory formation

We investigated associative working memory in relation to subsequent episodic memory formation in patients with early Alzheimer’s disease to examine whether these

MHII - FM 21-5 MILITARY TRAINING BASIC FIELD MANUAL WAR DEPARTMENT. July 16, 1941

Its greatest usefulness will be found in instructing large groups of individuals that have passed through other methods of instruction and have mastered many of the

Kann die diagnostische Kompetenz von Gymnasiallehrkräften durch ein Training und den Einsatz eines Tagebuchs gefördert werden?

ticipate in the training program in contrast to a control group. The increase is expected to be observable in the overall score, as well as in the scores for each phase of

The cultural politics of introducing popular music into China's music education

This is followed by a discussion of the integration of popular music into the school curriculum in terms of how music education and cultural politics are shaped by

Sosialisasi Digital Marketing pada Usaha Mikro Kecil Menengah (UMKM)

Oleh sebab itu perlu adanya peningkatan pengetahuan tentang perkembangan teknologi informasi seperti digital marketing dengan memanfaatkan media sosial, serta

Mating Frequency of European Corn Borer (Lepidoptera: Crambidae) in Minnesota, Kansas, and Texas

Number of Ostrinia nubilalis females (raw data) for each spermatophore class (0, 1, 2+ spermatophores (spt) in the bursa), categorized by collection (location and year),

The waterbirds and coastal seabirds of Timor-Leste: new site records clarifying residence status, distribution and taxonomy

In 2005, there were five Timor-Leste records including photos and video and two West Timor records of 2–13 birds during June, August, September and October, indicating that there