LazyCSRF: A More Useful CSRF PoC Generator on BurpSuite@Black Hat EUROPE 2021 Arsenal/lazyCSRF-bh2021-europe

Transcript

1. #BHEU @BlackHatEvents LazyCSRF A more useful CSRF PoC generator on

   BurpSuite Presented by Taichi Kotake Akatsuki Inc. 1

2. #BHEU @BlackHatEvents Who I am • Name: Taichi Kotake •

   Country: Japan • Job: Security Engineer @ Akatsuki Inc. • GitHub: tkmru 2

3. #BHEU @BlackHatEvents Me and Black Hat • Black Hat USA

   2020 Arsenal • I talked about apk-medit • Black Hat USA 2021 Arsenal • I talked about ipa-medit • Black Hat EUROPE 2021 Arsenal ← NEW !! 3

4. 1: Introduction to CSRF 4

5. #BHEU @BlackHatEvents What's CSRF • CSRF(Cross-site request forgery) is a

   web app vulnerability • It allows an attacker to induce users to perform actions that they do not intend to perform 5

6. #BHEU @BlackHatEvents What's CSRF Attacker’s Website Server Change email address,

   password etc 200 OK 6 Victim Attacker

7. #BHEU @BlackHatEvents Conditions for a successful attack • Cookie-based session

   handling • The victim needs to have an active session with the target website • The request parameter is known to the attacker • The victim accesses a fake website created by the attacker 7

8. #BHEU @BlackHatEvents What is the impact of CSRF • The

   attacker causes the victim to unintentionally execute the functions of the web application: • Changing the profile, email address, password, etc • Sending a message • Deleting an account • etc 8

9. #BHEU @BlackHatEvents Preventing CSRF • Web apps need a way

   to determine if the HTTP request is legitimately generated via the application’s UI • A CSRF token is used to prevent CSRF attacks 9

10. #BHEU @BlackHatEvents Preventing CSRF • A CSRF token is a

    secure random token • Should be unique per user session • Should be of a large enough random value to make it difficult to guess 10

11. #BHEU @BlackHatEvents Preventing CSRF • These tokens are inserted within

    hidden parameters of HTML forms related to critical server-side operations • The web app server rejects the request if the CSRF token fails to match the test 11

12. #BHEU @BlackHatEvents Victim Attacker Server Change the email address, password

    etc Preventing CSRF without CSRF token 12 Attacker’s Website

13. #BHEU @BlackHatEvents Does Samesite=Lax prevent CSRF? • The SameSite attribute

    can be used to control whether and how cookies are submitted in cross-site requests • Using Samesite=Lax as a defence against CSRF has become popular recently Set-Cookie: SessionId=XXXXXXXXXXXXXXXXXXX; SameSite=Lax; 13

14. #BHEU @BlackHatEvents Does Samesite=Lax prevent CSRF? • If the Samesite=Lax

    is set, requests from another site with POST/PATCH/PUT etc (without GET) will not include the cookie • It provides a partial defense against CSRF attacks Set-Cookie: SessionId=XXXXXXXXXXXXXXXXXXX; SameSite=Lax; 14

15. #BHEU @BlackHatEvents Victim Attacker Server POST/PATCH/PUT request Preventing CSRF using

    Samesite=Lax GET request 15 Attacker’s Website

16. #BHEU @BlackHatEvents Samesite=Lax is not enough • Some applications do

    implement sensitive actions using GET requests • It is not recommended to rely solely on SameSite cookies as a defense against CSRF 16

17. #BHEU @BlackHatEvents Writing CSRF PoC HTML is a hassle •

    For pen-testing, security engineers write a PoC HTML to see whether a CSRF attack can actually be performed • The process of generating a PoC HTML is a hassle 17

18. 2: Introduction to the Burp Suite 18

19. #BHEU @BlackHatEvents Burp Suite is the de-facto testing tool •

    Burp Suite is a proxy tool made by PortSwigger • It is the de-facto penetration testing tool for assessing web applications 19

20. #BHEU @BlackHatEvents Burp Suite has many useful features • Built-in

    Chromium browser for easy set-up of HTTP(S) interception • Built-in web vulnerability scanner • Only Burp Suite Professional • Extensions can be written in Java, Python or Ruby • etc 20

21. #BHEU @BlackHatEvents Generating CSRF PoC is my favorite feature •

    Burp Suite can be used to generate a PoC CSRF attack • To access this feature, select a URL or HTTP request anywhere within Burp, and choose "Generate CSRF PoC" within "Engagement tools" in the context menu. 21

22. #BHEU @BlackHatEvents But sometimes it's stressful • Multibyte characters(like Japanese)

    are garbled…😢 • it will try to generate PoC using form even for PoC that cannot be represented by form, such as cases using JSON for parameters or PUT requests 22

23. 3: Introduction to LazyCSRF 23

24. #BHEU @BlackHatEvents LazyCSRF aims to solve the problem of Burp

    • I am frustrated with the CSRF PoC generated by Burp Suite • So I created a Burp Extension called LazyCSRF to solve these problems • It's implemented in Java 24

25. #BHEU @BlackHatEvents Features of LazyCSRF • Automatically switch to PoC

    using XMLHttpRequest • In case JSON parameters or PUT/PATCH/DELETE etc • Supports displaying multibyte characters(like Japanese) • Generating CSRF PoC with the Burp Suite Community Edition 25

26. #BHEU @BlackHatEvents 1. Automatically switch to PoC using XHR •

    LazyCSRF automatically switches to using XHR when PoC cannot be generated with <form> • Allows JSON parameter to be sent using XHR • Allows sending a PATCH/PUT/DELETE request using XHR 26

27. #BHEU @BlackHatEvents Burp Suite also supports PoC using XHR •

    Although it doesn't switch automatically, Burp Suite can also generate PoC for XHR 27

28. #BHEU @BlackHatEvents 2. Support displaying multibyte characters • LazyCSRF can

    generate CSRF PoC without garbling multibyte characters • Japanese can be displayed! • This is only the case if the characters are not garbled on Proxy/Repeater tab 28

29. #BHEU @BlackHatEvents 29 LazyCSRF Version Built-in CSRF PoC generator

30. #BHEU @BlackHatEvents IExtensionHelpers.bytesToString ignores the encoding • IExtensionHelpers contains helper

    methods • to assist with various common tasks for Burp extensions • IExtensionHelpers.bytesToString can be used to convert data from an array of bytes into a String 30

31. #BHEU @BlackHatEvents IExtensionHelpers.bytesToString ignores the encoding • IExtensionHelpers.bytesToString ignores the

    encoding and converts it to a string • This is probably the cause of the garbled CSRF PoC characters generated by Burp Suite 31

32. #BHEU @BlackHatEvents 3. Generating CSRF PoC with the Burp Suite

    Community Edition • I always use the Professional Edition, so I didn't aim to do it • But, by creating a CSRF PoC generator as an extension, the Community Edition can also create CSRF PoC 32

33. #BHEU @BlackHatEvents Installation • Download the JAR from GitHub Releases

    • https://github.com/tkmru/lazyCSRF/releases/ • In Burp Suite, go to the Extensions tab in the Extender tab, and add a new extension • Select the extension type `Java`, and specify the path of the downloaded JAR 33

34. #BHEU @BlackHatEvents Installation • TODO: εΫγϣషΔ 34

35. #BHEU @BlackHatEvents Usage • You can generate a CSRF PoC

    by selecting Extensions →ɹ LazyCSRF → Generate CSRF PoC By LazyCSRF from the menu that shows up by right-clicking on Proxy and Repeater 35

36. #BHEU @BlackHatEvents Usage 36

37. #BHEU @BlackHatEvents 37

38. #BHEU @BlackHatEvents Future Work • Burp Suite hosts the generated

    PoC on localhost, but LazyCSRF cannot go that far • Displaying HTML with colors • I hope to implement them in LazyCSRF in the future 38

39. 4: TIPS for Burp extension development 39

40. #BHEU @BlackHatEvents How to use GitHub actions for Burp Extension

    development? • GitHub Actions is a CI service by GitHub • It is free to use for public repositories • There are still very few GitHub Actions on the Internet that use it for Burp Extension development. 40

41. #BHEU @BlackHatEvents How to use GitHub actions for Burp Extension

    development? • LazyCSRF allows you to build with mvn command • When a tagged commit is uploaded to GitHub, the build runs via GitHub Actions and automatically registers the JAR to GitHub Releases 41

42. #BHEU @BlackHatEvents Code Template for Burp Extension Development • While

    creating LazyCSRF, I also created a code template • If you are currently developing Burp extensions, please use it! • https://github.com/tkmru/BurpSuiteExtensionTemplate 42

43. #BHEU @BlackHatEvents 43

44. 5: Summary 44

45. #BHEU @BlackHatEvents Summary • LazyCSRF eases CSRF testing • LazyCSRF

    is still a rough tool, so I want to make it more complete • I hope LazyCSRF will become the de facto standard for security testing! 45

46. #BHEU @BlackHatEvents Thank You!! https://github.com/tkmru/lazyCSRF 46

47. #BHEU @BlackHatEvents References • https://portswigger.net/web-security/csrf • https://portswigger.net/web-security/csrf/samesite-cookies • https://www.synopsys.com/glossary/what-is-csrf.html 47