This document discusses cross-site request forgery (CSRF) attacks and ways to both carry them out and prevent them. It explains that CSRF forces a victim's logged-in browser to generate requests to a vulnerable web application, allowing an attacker to perform unauthorized actions. It provides examples of CSRF using GET and POST requests with different data formats. Countermeasures discussed include synchronizer tokens, checking the Origin header, CORS headers, and short-lived sessions. Clickjacking is also summarized as a related attack that can bypass CSRF protections.
2. About Me
Paulius Leščinskas
Pod owner @ Adform
http://lescinskas.lt
Paulius.Lescinskas@gmail.com
@lescinskas
https://www.linkedin.com/in/pluton
3. Cross-site request forgery
(CSRF)
A CSRF attack forces a logged-on victim’s browser to send a forged HTTP request, including the
victim’s session cookie and any other automatically included authentication information, to a
vulnerable web application. This allows the attacker to force the victim’s browser to generate
requests the vulnerable application thinks are legitimate requests from the victim.
Thank you http://www.seclab.cs.sunysb.edu/seclab/jcsrf/ for the image.
4. Cross-site request forgery
(CSRF)
Typical impact:
• Initiate transactions (modify data)
• Access sensitive data
Prerequisite: victim MUST be logged-in to the target system.
Typical example:
<img src="http://example.com/app/transferFunds?
amount=1500&destinationAccount=attackersAcct#" width="0" height="0" />
8. Cross-site request forgery
(CSRF)
The same data will be sent differently as raw HTTP body. I.e.:
Name: John Doe
Text: 1 + 2 = 3
• Via HTML form (application/x-www-form-urlencoded):
Name=John+Doe&Text=1+%2B+2+%3D+3
• Using RESTful Web API formatted as JSON:
{"Text": "John Doe", "Text": "1 + 2 = 3"}
10. Cross-site request forgery
(CSRF)
All HTTP methods (GET/POST/PUT/PATCH/DELETE ...) with any data encoding can be called using Javascript
(XmlHttpRequest aka XHR aka Ajax), if your Cross-origin resource sharing (CORS) headers allow you to call
XHR from any location:
OPTIONS /foo/bar
Host: example.com
Origin: http://foo.com
Vulnerable if:
Access-Control-Allow-Origin: *
jQuery example:
$.ajax({
url: 'http://example.com/foo/bar',
type: 'DELETE',
data: {"id": 1}
success: function(result) {
// Do something with the result
}
});
12. Cross-site request forgery
(CSRF)
Example 4 (any HTTP-based request using ActionScript):
import flash.net.URLRequest;
import flash.net.URLVariables;
import flash.net.URLRequestMethod;
import flash.net.URLRequestHeader;
import flash.net.URLLoader;
var loader:URLLoader = new URLLoader();
var req:URLRequest = new URLRequest("http://www.example.com/deleteUser");
var header:URLRequestHeader = new URLRequestHeader("Origin", "http://www.test.com"); // Setting Origin
header valid until Flash 9 somewhat
req.requestHeaders.push(header);
req.method = URLRequestMethod.DELETE;
req.contentType = 'application/json';
req.data = '{"id": 1}';
loader.load(req);
13. Cross-site request forgery
(CSRF)
... valid if example.com has crossdomain.xml like:
<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="*" secure="false" />
</cross-domain-policy>
9/10 Lithuanian TOP10 websites has such crossdomain.xml
…mostly to load assets from flash-based banner ads.
... also, you can access ActionScript objects, functions and properties from the
SWF file, hosted on other domain, if this file has Security.allowDomain("*");
(Cross-scripting)
14. Cross-site request forgery
(CSRF)
Countermeasures
●
Synchronizer token pattern!
●
Check Origin header
●
Appropriate CORS headers
●
Appropriate crossdomain.xml rules
●
Short-living sessions (only reduces likelihood)
Very hard (impossible?) to prevent CSRF is website has XSS vulnerabilities
https://en.wikipedia.org/wiki/Cross-origin_resource_sharing
http://www.adobe.com/devnet/adobe-media-server/articles/cross-domain-xml-for-streaming.html
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet
18. ClickJacking
Countermeasures
Framebusting: X-Frame-Options (XFO) response HTTP header or meta http-equiv
tag
X-Frame-Options: DENY (disallows page to be loaded in IFRAME)
X-Frame-Options: SAMEORIGIN (allows page to loaded in IFRAME from same origin)
X-Frame-Options: ALLOW-FROM https://trusted.domain (allows page to be loaded from
specific origins; unsupported by Chrome and Safari!)
Worldwide usage:
Facebook: DENY, Twitter: SAMEORIGIN, Github: DENY, 60% of Alexa Top 10 use framebusting...
https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet (+more defense techniques)
https://www.owasp.org/index.php/Testing_for_Clickjacking_(OTG-CLIENT-009)
https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options