CSRF. Danger. Detection. Defenses презентация

Октябрь 26, 2021

Главная
Информатика
CSRF. Danger. Detection. Defenses

Содержание

2. Overview Discussion of the “Same Origin Policy” Overview of the “Sleeping Giant” The Introduction of 2
3. The Browser “Same Origin” Policy bank.com blog.net XHR XHR document, cookies TAG TAG JS
4. Cross-Site Request Forgery bank.com attacker’s post at blog.net Go to Transfer Assets https://bank.com/fn?param=1 Select FROM Fund
5. How Does CSRF Work? Tags Autoposting Forms XmlHttpRequest Subject to same origin policy
6. Credentials Included bank.com blog.net https://bank.com/fn?param=1 JSESSIONID=AC934234…
7. New Tool: OWASP CSRFTester Test your applications for CSRF Record and replay transactions Tune the recorded
8. DEMO: OWASP CSRFTester
9. What Can Attackers Do with CSRF? Anything an authenticated user can do Click links Fill out
10. Using CSRF to Attack Internal Pages attacker.com internal.mybank.com Allowed! CSRF Internal Site TAG internal browser
11. Misconceptions – Defenses That Don’t Work Only accept POST Stops simple link-based attacks (IMG, frames, etc.)
12. New Tool: OWASP CSRFGuard 2.0 User (Browser) 1. Add token with regex 2. Add token with
13. DEMO: OWASP CSRFGuard 2.0
14. Similar Implementations PHP CSRFGuard PHP Implementation of CSRFGuard http://www.owasp.org/index.php/PHP_CSRF_Guard JSCK PHP & JavaScript implementation http://www.thespanner.co.uk/2007/10/19/jsck/
15. DEMO: Cross-Site Scripting vs. CSRFGuard
16. Enterprise CSRF Mitigation Strategy Balance Between Security, Usability, and Cost MISSION CRITICAL FUNCTIONS EVERYDAY BUSINESS FUNCTIONS
17. http://www.owasp.org/index.php/Cross-Site_Request_Forgery http://www.cgisecurity.com/articles/csrf-faq.shtml http://www.darkreading.com/document.asp?doc_id=107651&WT.svl=news1_2
18. Extra: How Widespread Are CSRF Holes? Very likely in most web applications Including both intranet and
19. Extra: Real World CSRF Examples
21. Скачать презентацию

Слайд 2

Overview
Discussion of the “Same Origin Policy”
Overview of the “Sleeping Giant”
The Introduction of
2 New

OWASP Tools
A Series of New WebGoat Labs
Enterprise CSRF Mitigation Strategy

Слайд 3

The Browser “Same Origin” Policy
bank.com
blog.net
XHR
XHR
document, cookies
TAG
TAG
JS

Слайд 4

Cross-Site Request Forgery
bank.com
attacker’s post at blog.net
Go to Transfer Assets
https://bank.com/fn?param=1
Select FROM Fund
https://bank.com/fn?param=1
Select

TO Fund
https://bank.com/fn?param=1

Select Dollar Amount
https://bank.com/fn?param=1

Submit Transaction
https://bank.com/fn?param=1

Confirm Transaction
https://bank.com/fn?param=1

Слайд 5

How Does CSRF Work?
Tags

<br><script src=“https://bank.com/fn?param=1”><br>Autoposting Forms<br><body onload="document.forms[0].submit()"><br><form method="POST" action=“https://bank.com/fn”><br> <input type="hidden"</div></h3></h3><div class="slides-content">name="sp" value="8109"/><br></form><br>XmlHttpRequest<br>Subject to same origin policy<br></div></div></div><div class="slides-wrapper"><div id="slide6" class="slides-item"><h3 class="slides-heading"><a class="slides-headingLink" href="/_ipx/w_720/imagesDir/jpg/246339/slide-5.jpg" target="_blank" rel="noopener">Слайд 6</a><h3 class="slides-content text-center font-bold"><div><p>Credentials Included<br><p>bank.com<br><p>blog.net<br><p>https://bank.com/fn?param=1<br>JSESSIONID=AC934234…<br></div></h3></h3></div></div><div class="slides-wrapper"><div id="slide7" class="slides-item"><h3 class="slides-heading"><a class="slides-headingLink" href="/_ipx/w_720/imagesDir/jpg/246339/slide-6.jpg" target="_blank" rel="noopener">Слайд 7</a><h3 class="slides-content text-center font-bold"><div><p>New Tool: OWASP CSRFTester<br><p>Test your applications for CSRF<br>Record and replay transactions<br>Tune the recorded</div></h3></h3><div class="slides-content">test case<br>Run test case with exported HTML document <br>Test case alternatives<br>Auto-Posting Forms<br>Evil iFrame<br>IMG Tag<br>XMLHTTPRequest<br>Link<br></div></div></div><div class="slides-wrapper"><div id="slide8" class="slides-item"><h3 class="slides-heading"><a class="slides-headingLink" href="/_ipx/w_720/imagesDir/jpg/246339/slide-7.jpg" target="_blank" rel="noopener">Слайд 8</a><h3 class="slides-content text-center font-bold"><div><p>DEMO: OWASP CSRFTester<br></div></h3></h3></div></div><div class="slides-wrapper"><div id="slide9" class="slides-item"><h3 class="slides-heading"><a class="slides-headingLink" href="/_ipx/w_720/imagesDir/jpg/246339/slide-8.jpg" target="_blank" rel="noopener">Слайд 9</a><h3 class="slides-content text-center font-bold"><div><p>What Can Attackers Do with CSRF?<br><p>Anything an authenticated user can do<br>Click links<br>Fill out</div></h3></h3><div class="slides-content">and submit forms<br>Follow all the steps of a wizard interface<br>No restriction from same origin policy, except…<br>Attackers cannot read responses from other origins<br>Limited on what can be done with data<br>Severe impact on accountability<br>Log entries reflect the actions a victim was tricked into executing<br></div></div></div><div class="slides-wrapper"><div id="slide10" class="slides-item"><h3 class="slides-heading"><a class="slides-headingLink" href="/_ipx/w_720/imagesDir/jpg/246339/slide-9.jpg" target="_blank" rel="noopener">Слайд 10</a><h3 class="slides-content text-center font-bold"><div><p>Using CSRF to Attack Internal Pages<br><p>attacker.com<br><p>internal.mybank.com<br><p>Allowed!<br><p>CSRF<br><p>Internal Site<br><p>TAG<br><p>internal browser<br></div></h3></h3></div></div><div class="slides-wrapper"><div id="slide11" class="slides-item"><h3 class="slides-heading"><a class="slides-headingLink" href="/_ipx/w_720/imagesDir/jpg/246339/slide-10.jpg" target="_blank" rel="noopener">Слайд 11</a><h3 class="slides-content text-center font-bold"><div><p>Misconceptions – Defenses That Don’t Work<br><p>Only accept POST<br>Stops simple link-based attacks (IMG, frames,</div></h3></h3><div class="slides-content">etc.)<br>But hidden POST requests can be created with frames, scripts, etc…<br>Referer checking<br>Some users prohibit referers, so you can’t just require referer headers<br>Techniques to selectively create HTTP request without referers exist<br>Requiring multi-step transactions<br>CSRF attack can perform each step in order<br>URL Rewriting<br>General session id exposure in logs, cache, etc.<br>None of these approaches will sufficiently protect against CSRF!<br></div></div></div><div class="slides-wrapper"><div id="slide12" class="slides-item"><h3 class="slides-heading"><a class="slides-headingLink" href="/_ipx/w_720/imagesDir/jpg/246339/slide-11.jpg" target="_blank" rel="noopener">Слайд 12</a><h3 class="slides-content text-center font-bold"><div><p>New Tool: OWASP CSRFGuard 2.0<br><p>User<br>(Browser)<br><p>1. Add token with regex<br><p>2. Add token with HTML</div></h3></h3><div class="slides-content">parser<br><p>3. Add token in browser with Javascript<br>Adds token to:<br>href attribute<br>src attribute<br>hidden field in all forms<br>Actions:<br>Log<br>Invalidate<br>Redirect<br><p>http://www.owasp.org/index.php/CSRFGuard <br></div></div></div><div class="slides-wrapper"><div id="slide13" class="slides-item"><h3 class="slides-heading"><a class="slides-headingLink" href="/_ipx/w_720/imagesDir/jpg/246339/slide-12.jpg" target="_blank" rel="noopener">Слайд 13</a><h3 class="slides-content text-center font-bold"><div><p>DEMO: OWASP CSRFGuard 2.0<br></div></h3></h3></div></div><div class="slides-wrapper"><div id="slide14" class="slides-item"><h3 class="slides-heading"><a class="slides-headingLink" href="/_ipx/w_720/imagesDir/jpg/246339/slide-13.jpg" target="_blank" rel="noopener">Слайд 14</a><h3 class="slides-content text-center font-bold"><div><p>Similar Implementations<br><p>PHP CSRFGuard<br>PHP Implementation of CSRFGuard<br>http://www.owasp.org/index.php/PHP_CSRF_Guard<br>JSCK<br>PHP & JavaScript implementation<br>http://www.thespanner.co.uk/2007/10/19/jsck/<br></div></h3></h3></div></div><div class="slides-wrapper"><div id="slide15" class="slides-item"><h3 class="slides-heading"><a class="slides-headingLink" href="/_ipx/w_720/imagesDir/jpg/246339/slide-14.jpg" target="_blank" rel="noopener">Слайд 15</a><h3 class="slides-content text-center font-bold"><div><p>DEMO: Cross-Site Scripting vs. CSRFGuard<br></div></h3></h3></div></div><div class="slides-wrapper"><div id="slide16" class="slides-item"><h3 class="slides-heading"><a class="slides-headingLink" href="/_ipx/w_720/imagesDir/jpg/246339/slide-15.jpg" target="_blank" rel="noopener">Слайд 16</a><h3 class="slides-content text-center font-bold"><div><p>Enterprise CSRF Mitigation Strategy<br><p>Balance Between Security, Usability, and Cost<br><p>MISSION<br>CRITICAL<br>FUNCTIONS<br><p>EVERYDAY<br>BUSINESS<br>FUNCTIONS<br><p>LUNCH<br>MENU<br>FUNCTIONS<br></div></h3></h3></div></div><div class="slides-wrapper"><div id="slide17" class="slides-item"><h3 class="slides-heading"><a class="slides-headingLink" href="/_ipx/w_720/imagesDir/jpg/246339/slide-16.jpg" target="_blank" rel="noopener">Слайд 17</a><h3 class="slides-content text-center font-bold"><div>http://www.owasp.org/index.php/Cross-Site_Request_Forgery<br>http://www.cgisecurity.com/articles/csrf-faq.shtml<br>http://www.darkreading.com/document.asp?doc_id=107651&WT.svl=news1_2<br></div></h3></h3></div></div><div class="slides-wrapper"><div id="slide18" class="slides-item"><h3 class="slides-heading"><a class="slides-headingLink" href="/_ipx/w_720/imagesDir/jpg/246339/slide-17.jpg" target="_blank" rel="noopener">Слайд 18</a><h3 class="slides-content text-center font-bold"><div><p>Extra: How Widespread Are CSRF Holes?<br><p>Very likely in most web applications<br>Including both intranet</div></h3></h3><div class="slides-content">and external apps<br>Including Web 1.0 and Web 2.0 applications<br>Any function without specific CSRF defenses is vulnerable<br>How do victims get attacked?<br>Victim simply opens an infected webpage, HTML file, or email<br>Single Sign On (SSO) extends “authenticated user”<br>CSRF recently found in 8 security appliances<br>Including CheckPoint<br></div></div></div><div class="slides-wrapper"><div id="slide19" class="slides-item"><h3 class="slides-heading"><a class="slides-headingLink" href="/_ipx/w_720/imagesDir/jpg/246339/slide-18.jpg" target="_blank" rel="noopener">Слайд 19</a><h3 class="slides-content text-center font-bold"><div><p>Extra: Real World CSRF Examples<br> <iframe style="display:none" src="http://www.google.com/setprefs?hl=xx-klingon&submit2=Save%20Preferences%20&prev=http://www.google.com/&q=&submit= Save%20Preferences%20">