Practical Cross-Side Request Forgery

Transcript

1. Practical Cross-site Request Forgery Benjamin Scott [email protected]

2. What is Cross-site Request Forgery? An attacker tricks a victim

   into taking an action on a site - “Click a link to bank.com which sends money to me” Built-in browser security (same-origin policy) cannot filter out - Requests are legitimate from the browser’s POV

3. Vulnerable Implementations 1: A site implements destructive operations via GET

   requests - GET /delete?repository_id=42 2: A site implements POST requests without a stateful token - POST /delete - repository_id=42

4. Exploitation of Vulnerable Implementations 1: GET /delete?repository_id=42 - Convince the

   user to click a link 2: POST /delete - repository_id=42 - Convince the user to submit a form on a third-party site Or combine with an XSS issue on the site to trigger CSRF exploit without user interaction

5. Demo Vulnerable webapp that hosts arbitrary text snippets - http://google-gruyere.appspot.com/start

   - Register a user and add a snippet - https://google-gruyere.appspot.com/$ID/deletesnippet?index=0 - Convince the user to visit the above link, which deletes their own post Note that the issue could also be triggered via Reflected or Stored XSS in a rendered page - Find a Reflected XSS issue e.g. https://google-gruyere.appspot.com/$ID/<script>var xhr = new XMLHttpRequest();xhr.open('GET', "https://google-gruyere.appspot.com/$ID/deletesnippet?index=0", true);</script>

6. Include an unguessable CSRF token in POST requests which is

   unknown to an attacker and check it on the server-side - Generate a random number and store in the user’s session - Generate a user-specific token e.g. digest(cookie,timestamp) - Use a per-request token with a random nonce - (Or use a web framework that handles it for you) Mitigations

7. Thanks for listening Benjamin Scott [email protected] github.com/benjabenjaminxscottminxscott speakerdeck.com/bschmoker