Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Cross-Site Request Forgery (2009)

E34acb847338523dc088f03f0eedd1eb?s=47 Rob Howard
December 07, 2009

Cross-Site Request Forgery (2009)

The third in a short series of presentations given at a PHP development shop.

E34acb847338523dc088f03f0eedd1eb?s=128

Rob Howard

December 07, 2009
Tweet

Transcript

  1. CSRF (CROSS-SITE REQUEST FORGERY )

  2. WHAT IS IT? • Using a user's own access against

    them. • Making a browser perform an action on a user's behalf, Using that user's credentials, Without said user knowing about it. (Until it's too late.)
  3. HOW DOES IT WORK? • Relies on the user already

    being logged in. • Trick the user into visiting a URL, eg. Post a link in the comments, on the site's forum, etc. (Somewhere where they're likely to be logged in.)
  4. WHAT'S THIS URL, THEN? • If the site has user

    logins, you have actions the user can perform. eg. Editing their profile, posting a comment, accepting someone as a friend. • Actions can be performed by forms (fill fields out and hit Submit), or by clicking a link (“Allow Friend”).
  5. WHAT'S THIS URL, THEN? (Ct'd) • Some of these use

    forms, and have an action, eg. <form action=”/user/profile” method=”get”> <input type=”hidden” name=”_a” value=”edit” /> <label>Password:</label> <input type=”password” name=”pass” /> <input type=”submit” name=”submit” /> </form>
  6. WHAT'S THIS URL, THEN? (Ct'd) • Others are links, eg.

    http://www.example.com.au/ buddyzone/fzmodapi.php? m=4&f=3&r=82&nn=FRIENDLYGUY • Visit this link, and you'll make FRIENDLYGUY your BuddyZone friend.
  7. WHAT'S THIS URL, THEN? (Ct'd) • Others are links, eg.

    http://www.example.com.au/ buddyzone/fzmodapi.php? m=4&f=3&r=82&nn=FRIENDLYGUY • Visit this link, and you'll make FRIENDLYGUY your BuddyZone friend. THIS IS FRIENDLYGUY
  8. COME OFF IT. NO-ONE'S GOING TO CLICK THAT. • Yeah,

    you're right. • Instead, use one of the many innocuous- looking URL-shortening services. • http://www.example.com.au/ buddyzone/bzmodapi.php? m=4&f=3&r=82&nn=FRIENDLYGUY … is now: http://bit.ly/0MgWtF
  9. I ONLY ACCEPT POST REQUESTS ON MY FORMS. • You're

    still vulnerable.
  10. WHAT? • You heard me.

  11. PROVE IT. • Fine.

  12. None
  13. OUCH. OK, HOW DO WE FIX IT? • Use Form

    POST for doing actions that have side-effects. It makes the rest a lot easier. • Session Tokens. • Every time you generate a session, give the user a random token for that session. • Every time you accept input, validate the token. If it doesn't validate, don't perform the action. • An attacker can't predict the token, and so can't guess the needed form parameter value.
  14. GIVE ME EXAMPLES, PLEASE. • ASP.NET MVC Lucky bastards. In

    the view: <%= Html.AntiForgeryToken() %> In the controller, add this attribute to the action: [ValidateAntiForgeryToken]
  15. GIVE ME EXAMPLES, PLEASE. • PHP CodeIgniter (using Kyle Hasegawa's

    CSRF library) So we're almost as lucky. >:-| In the view: form_token(); In the controller action, add these: $this->load->library('form_validation'); $this->load->library('csrf'); if(!$this->form_validation->run()) { $oTVars = validation_errors(); } else { // Do the action }