Cross-Site Request Forgery (2009)

Transcript

1. CSRF (CROSS-SITE REQUEST FORGERY )

2. WHAT IS IT? • Using a user's own access against

   them. • Making a browser perform an action on a user's behalf, Using that user's credentials, Without said user knowing about it. (Until it's too late.)

3. HOW DOES IT WORK? • Relies on the user already

   being logged in. • Trick the user into visiting a URL, eg. Post a link in the comments, on the site's forum, etc. (Somewhere where they're likely to be logged in.)

4. WHAT'S THIS URL, THEN? • If the site has user

   logins, you have actions the user can perform. eg. Editing their profile, posting a comment, accepting someone as a friend. • Actions can be performed by forms (fill fields out and hit Submit), or by clicking a link (“Allow Friend”).

5. WHAT'S THIS URL, THEN? (Ct'd) • Some of these use

   forms, and have an action, eg. <form action=”/user/profile” method=”get”> <input type=”hidden” name=”_a” value=”edit” /> <label>Password:</label> <input type=”password” name=”pass” /> <input type=”submit” name=”submit” /> </form>

6. WHAT'S THIS URL, THEN? (Ct'd) • Others are links, eg.

   http://www.example.com.au/ buddyzone/fzmodapi.php? m=4&f=3&r=82&nn=FRIENDLYGUY • Visit this link, and you'll make FRIENDLYGUY your BuddyZone friend.

7. WHAT'S THIS URL, THEN? (Ct'd) • Others are links, eg.

   http://www.example.com.au/ buddyzone/fzmodapi.php? m=4&f=3&r=82&nn=FRIENDLYGUY • Visit this link, and you'll make FRIENDLYGUY your BuddyZone friend. THIS IS FRIENDLYGUY

8. COME OFF IT. NO-ONE'S GOING TO CLICK THAT. • Yeah,

   you're right. • Instead, use one of the many innocuous- looking URL-shortening services. • http://www.example.com.au/ buddyzone/bzmodapi.php? m=4&f=3&r=82&nn=FRIENDLYGUY … is now: http://bit.ly/0MgWtF

9. I ONLY ACCEPT POST REQUESTS ON MY FORMS. • You're

   still vulnerable.

10. WHAT? • You heard me.

11. PROVE IT. • Fine.

12. None

13. OUCH. OK, HOW DO WE FIX IT? • Use Form

    POST for doing actions that have side-effects. It makes the rest a lot easier. • Session Tokens. • Every time you generate a session, give the user a random token for that session. • Every time you accept input, validate the token. If it doesn't validate, don't perform the action. • An attacker can't predict the token, and so can't guess the needed form parameter value.

14. GIVE ME EXAMPLES, PLEASE. • ASP.NET MVC Lucky bastards. In

    the view: <%= Html.AntiForgeryToken() %> In the controller, add this attribute to the action: [ValidateAntiForgeryToken]

15. GIVE ME EXAMPLES, PLEASE. • PHP CodeIgniter (using Kyle Hasegawa's

    CSRF library) So we're almost as lucky. >:-| In the view: form_token(); In the controller action, add these: $this->load->library('form_validation'); $this->load->library('csrf'); if(!$this->form_validation->run()) { $oTVars = validation_errors(); } else { // Do the action }