cross-site request forgery collin jackson cs 142 winter 2009
TRANSCRIPT
![Page 1: Cross-site request forgery Collin Jackson CS 142 Winter 2009](https://reader036.vdocument.in/reader036/viewer/2022081603/5697c0041a28abf838cc43cc/html5/thumbnails/1.jpg)
Cross-site request forgery
Collin Jackson
CS 142 Winter 2009
![Page 2: Cross-site request forgery Collin Jackson CS 142 Winter 2009](https://reader036.vdocument.in/reader036/viewer/2022081603/5697c0041a28abf838cc43cc/html5/thumbnails/2.jpg)
Outline
Classic CSRFServer-side DefensesAdvanced AttacksProposals for client-side changes
![Page 3: Cross-site request forgery Collin Jackson CS 142 Winter 2009](https://reader036.vdocument.in/reader036/viewer/2022081603/5697c0041a28abf838cc43cc/html5/thumbnails/3.jpg)
Data export
Many ways to send information to other origins<form action="http://www.b.com/">
<input name="data" type="hidden" value="hello"></form>
<img src="http://www.b.com/?data=hello"/>
No user involvement requiredCannot read back response
![Page 4: Cross-site request forgery Collin Jackson CS 142 Winter 2009](https://reader036.vdocument.in/reader036/viewer/2022081603/5697c0041a28abf838cc43cc/html5/thumbnails/4.jpg)
Classic CSRF attack
User visits victim site site Logs in
User loads attacker's site Or encounters attacker's
iframe on another site
Attacker sends HTTP requests to victim Victim site assumes
requests originatefrom itself
![Page 5: Cross-site request forgery Collin Jackson CS 142 Winter 2009](https://reader036.vdocument.in/reader036/viewer/2022081603/5697c0041a28abf838cc43cc/html5/thumbnails/5.jpg)
Classic CSRF Attack
User credentials
Cookie: SessionID=523FA4cd2E
![Page 6: Cross-site request forgery Collin Jackson CS 142 Winter 2009](https://reader036.vdocument.in/reader036/viewer/2022081603/5697c0041a28abf838cc43cc/html5/thumbnails/6.jpg)
DEFENSES
![Page 7: Cross-site request forgery Collin Jackson CS 142 Winter 2009](https://reader036.vdocument.in/reader036/viewer/2022081603/5697c0041a28abf838cc43cc/html5/thumbnails/7.jpg)
CSRF Defenses
Secret Validation Token
Referer Validation
Custom HTTP Header
<input type=hidden value=23a3af01b>
Referer: http://www.facebook.com/home.php
X-Requested-By: XMLHttpRequest
![Page 8: Cross-site request forgery Collin Jackson CS 142 Winter 2009](https://reader036.vdocument.in/reader036/viewer/2022081603/5697c0041a28abf838cc43cc/html5/thumbnails/8.jpg)
Secret Token Validation
Requests include a hard-to-guess secret Unguessability substitutes for unforgeability
Variations Session identifier Session-independent token Session-dependent token HMAC of session identifier
See "Robust Defenses for Cross-Site Request Forgery" for a comparison of these options.
![Page 9: Cross-site request forgery Collin Jackson CS 142 Winter 2009](https://reader036.vdocument.in/reader036/viewer/2022081603/5697c0041a28abf838cc43cc/html5/thumbnails/9.jpg)
Secret Token Validation
![Page 10: Cross-site request forgery Collin Jackson CS 142 Winter 2009](https://reader036.vdocument.in/reader036/viewer/2022081603/5697c0041a28abf838cc43cc/html5/thumbnails/10.jpg)
Referer Validation
![Page 11: Cross-site request forgery Collin Jackson CS 142 Winter 2009](https://reader036.vdocument.in/reader036/viewer/2022081603/5697c0041a28abf838cc43cc/html5/thumbnails/11.jpg)
Referer Validation Defense
HTTP Referer header Referer: http://www.facebook.com/ Referer: http://www.attacker.com/evil.html Referer:
Lenient Referer validation Doesn't work if Referer is missing
Strict Referer validaton Secure, but Referer is sometimes absent…
?
![Page 12: Cross-site request forgery Collin Jackson CS 142 Winter 2009](https://reader036.vdocument.in/reader036/viewer/2022081603/5697c0041a28abf838cc43cc/html5/thumbnails/12.jpg)
Referer Privacy Problems
Referer may leak privacy-sensitive information
http://intranet.corp.apple.com/
projects/iphone/competitors.html
Common sources of blocking: Network stripping by the organization Network stripping by local machine Stripped by browser for HTTPS -> HTTP transitions User preference in browser Buggy user agents
Site cannot afford to block these users
![Page 13: Cross-site request forgery Collin Jackson CS 142 Winter 2009](https://reader036.vdocument.in/reader036/viewer/2022081603/5697c0041a28abf838cc43cc/html5/thumbnails/13.jpg)
Suppression Measurement
283,945 impressions
![Page 14: Cross-site request forgery Collin Jackson CS 142 Winter 2009](https://reader036.vdocument.in/reader036/viewer/2022081603/5697c0041a28abf838cc43cc/html5/thumbnails/14.jpg)
Suppression over HTTPS is low
![Page 15: Cross-site request forgery Collin Jackson CS 142 Winter 2009](https://reader036.vdocument.in/reader036/viewer/2022081603/5697c0041a28abf838cc43cc/html5/thumbnails/15.jpg)
Lenient Validation Vulnerability
My site uses HTTPS, am I safe?Problem: Browsers do not append Referer if the source of the request is not an HTTP page
ftp://attacker.com/attack.htmldata:text/html,<html>…</html>javascript:'<html>…</html>'
![Page 16: Cross-site request forgery Collin Jackson CS 142 Winter 2009](https://reader036.vdocument.in/reader036/viewer/2022081603/5697c0041a28abf838cc43cc/html5/thumbnails/16.jpg)
Strict Validation Problems
Some sites allow users to post forms XSS sanitization doesn't include <form> These sites need another defense
Many sites allow users to post hyperlinks Solution: Respect HTTP verb semantics GET requests have no side effects POST requests can change state
![Page 17: Cross-site request forgery Collin Jackson CS 142 Winter 2009](https://reader036.vdocument.in/reader036/viewer/2022081603/5697c0041a28abf838cc43cc/html5/thumbnails/17.jpg)
Custom Header Defense
XMLHttpRequest is for same-origin requests Can use setRequestHeader within origin
Limitations on data export format No setRequestHeader equivalent XHR2 has a whitelist for cross-site requests
Issue POST requests via AJAX:
Doesn't work across domainsX-Requested-By: XMLHttpRequest
![Page 18: Cross-site request forgery Collin Jackson CS 142 Winter 2009](https://reader036.vdocument.in/reader036/viewer/2022081603/5697c0041a28abf838cc43cc/html5/thumbnails/18.jpg)
ANNOUNCEMENTS
Project 2, Mac OSX Tiger
![Page 19: Cross-site request forgery Collin Jackson CS 142 Winter 2009](https://reader036.vdocument.in/reader036/viewer/2022081603/5697c0041a28abf838cc43cc/html5/thumbnails/19.jpg)
ADVANCED ATTACKS
![Page 20: Cross-site request forgery Collin Jackson CS 142 Winter 2009](https://reader036.vdocument.in/reader036/viewer/2022081603/5697c0041a28abf838cc43cc/html5/thumbnails/20.jpg)
Broader view of CSRF
Abuse of cross-site data export feature From user’s browser to honest server Disrupts integrity of user’s session
Why mount a CSRF attack? Network connectivity Read browser state Write browser state
Not just “session riding”
![Page 21: Cross-site request forgery Collin Jackson CS 142 Winter 2009](https://reader036.vdocument.in/reader036/viewer/2022081603/5697c0041a28abf838cc43cc/html5/thumbnails/21.jpg)
Login CSRF
Attacker’scredentials
![Page 22: Cross-site request forgery Collin Jackson CS 142 Winter 2009](https://reader036.vdocument.in/reader036/viewer/2022081603/5697c0041a28abf838cc43cc/html5/thumbnails/22.jpg)
Payments Login CSRF
![Page 23: Cross-site request forgery Collin Jackson CS 142 Winter 2009](https://reader036.vdocument.in/reader036/viewer/2022081603/5697c0041a28abf838cc43cc/html5/thumbnails/23.jpg)
Payments Login CSRF
![Page 24: Cross-site request forgery Collin Jackson CS 142 Winter 2009](https://reader036.vdocument.in/reader036/viewer/2022081603/5697c0041a28abf838cc43cc/html5/thumbnails/24.jpg)
Payments Login CSRF
![Page 25: Cross-site request forgery Collin Jackson CS 142 Winter 2009](https://reader036.vdocument.in/reader036/viewer/2022081603/5697c0041a28abf838cc43cc/html5/thumbnails/25.jpg)
Payments Login CSRF
![Page 26: Cross-site request forgery Collin Jackson CS 142 Winter 2009](https://reader036.vdocument.in/reader036/viewer/2022081603/5697c0041a28abf838cc43cc/html5/thumbnails/26.jpg)
Rails vs. Login CSRF
![Page 27: Cross-site request forgery Collin Jackson CS 142 Winter 2009](https://reader036.vdocument.in/reader036/viewer/2022081603/5697c0041a28abf838cc43cc/html5/thumbnails/27.jpg)
Login CSRF Fails
![Page 28: Cross-site request forgery Collin Jackson CS 142 Winter 2009](https://reader036.vdocument.in/reader036/viewer/2022081603/5697c0041a28abf838cc43cc/html5/thumbnails/28.jpg)
CLIENT-SIDE DEFENSES
![Page 29: Cross-site request forgery Collin Jackson CS 142 Winter 2009](https://reader036.vdocument.in/reader036/viewer/2022081603/5697c0041a28abf838cc43cc/html5/thumbnails/29.jpg)
Can browsers help with CSRF?
Does not break existing sites Easy to use Hard to misuse Allows legitimate cross-site requests Reveals minimum amount of information Can be standardized
![Page 30: Cross-site request forgery Collin Jackson CS 142 Winter 2009](https://reader036.vdocument.in/reader036/viewer/2022081603/5697c0041a28abf838cc43cc/html5/thumbnails/30.jpg)
Proposed Approaches
HTTP Headers Identify the source of requests Change Referer header or add a new Origin header Send more information for POST than GET Experiment: Cross-domain POSTs out of firewall accounted
for ~0.0001% of traffic Problem: Unsafe GET requests Problem: Third-party content within an origin Problem: How to handle redirects
Same-origin-only cookies Doesn't help multi-domain sites: amazon.com and
amazon.co.uk These sites could use other defenses
![Page 31: Cross-site request forgery Collin Jackson CS 142 Winter 2009](https://reader036.vdocument.in/reader036/viewer/2022081603/5697c0041a28abf838cc43cc/html5/thumbnails/31.jpg)
Conclusion
Server-side defenses are required Secret token validation – use frameworks like Rails Referer validation – works over HTTPS Custom headers – for AJAX
No easy solution User does not need to have an existing session for attacks
to work Hard to retrofit existing applications with defenses