![Two-‐Way
CSRF
• AOacker
page
can
make
cross
domain
request
using
SCRIPT
(firefox)
• Following
code
can
overload
the
array
stream.
funcEon
Array()
{
var
obj
=
this;
var
index
=
0;
for(j=0;j<4;j++){
obj[index++]
seOer
=
spoof;
}
}
funcEon
spoof(x){
send(x.toString());
}](https://image.slidesharecdn.com/csrf-151026090013-lva1-app6891/85/CSRF-ClickJacking-Open-Redirect-18-320.jpg)
CSRF, ClickJacking & Open Redirect
- 1. CSRF (Cross Site Request Forgery) ClickJacking & Open Redirects
- 2. Cross Site Request Forgery (CSRF) • Generic CSRF is with GET / POST • Forcefully sending request to the target applicaEon with cookie replay • Leveraging tags like – IMG – SCRIPT – IFRAME • Not abide by SOP or Cross Domain is possible
- 3. Request generaEon IMG SRC <img src="hOp://host/?command"> SCRIPT SRC <script src="hOp://host/?command"> IFRAME SRC <iframe src="hOp://host/?command">
- 4. Request generaEon 'Image' Object <script> var foo = new Image(); foo.src = "hOp://host/?command"; </script> XHR – Cross domain difficult
- 5. Request generaEon • It is possible to generate POST as well • Form can be build dynamically and buOon click from JavaScript is possible <script type="text/javascript" language="JavaScript"> document.foo.submit(); </script>
- 6. Cross Site Request Forgery (CSRF) • What is different with Web 2.0 – Is it possible to do CSRF to XML stream – How? – It will be POST hitting the XML processing resources like Web Services – JSON CSRF is also possible – Interesting check to make against application and Web 2.0 resources
- 7. One Way CSRF Scenario
- 8. One Way CSRF Scenario
- 9. One Way CSRF Scenario
- 10. One Way CSRF Scenario
- 11. One-‐Way CSRF
- 12. One-‐Way CSRF • <html> • <body> • <FORM NAME="buy" ENCTYPE="text/plain" acEon="hOp:// trade.example.com/xmlrpc/trade.rem" METHOD="POST"> • <input type="hidden" name='<?xml version' value='"1.0"? ><methodCall><methodName>stocks.buy</ methodName><params><param><value><string>MSFT</string></ value></param><param><value><double>26</double></value></ param></params></methodCall>'> • </FORM> • <script>document.buy.submit();</script> • </body> • </html>
- 13. Forcing XML • Spligng XML stream in the form. • Possible through XForms as well. • Similar techniques is applicable to JSON as well.
- 14. Two-‐Way CSRF • One-‐Way – Just making forceful request. • Two-‐Way – Reading the data coming from the target – May be getting hold onto important information – profile, statements, numbers etc. – Is it possible with JSON/XML
- 15. Two-‐Way CSRF
- 16. Two-‐Way CSRF • ApplicaEon is serving various streams like – JSON, JS-‐Object, Array etc.
- 17. Two-‐Way CSRF
- 18. Two-‐Way CSRF • AOacker page can make cross domain request using SCRIPT (firefox) • Following code can overload the array stream. funcEon Array() { var obj = this; var index = 0; for(j=0;j<4;j++){ obj[index++] seOer = spoof; } } funcEon spoof(x){ send(x.toString()); }
- 19. Two-‐Way CSRF
- 20. Two-‐Way CSRF • It is possible to overload these objects. • Reading and sending to cross domain possible. • Opens up two way channel for an aOacker. • Web 2.0 streams are vulnerable to these aOacks.
- 21. Countermeasure • Server Side Checks – Check for client’s content-type. – XHR calls – xml/application. – Native calls – text/html. – Filtering is possible on it. • Client Side Checks – Stream can be started and terminated by /* or any predefined characters. – Client can remove them before injecting to DOM.
- 22. Clickjacking
- 23. DescripEon • Clickjacking is a popular name for an old aOack method called “UI redressing” • Though a case of “old wine in a new boOle”, given the current development in Web standards (Web 2.0, AJAX, etc), one cannot ignore the risks posed by this vulnerability • The basic philosophy of this aOack is to fool the user into clicking a malicious link
- 24. DescripEon • Clickjacking involves “hijacking” the user's mouse clicks • This means, the user thinks (s)he's clicking on something, but is actually not • The user, invariably and unknowingly authorizes certain acEons which could have disasterous consequences or could be as harmless as being redirected to a games site
- 25. AOack Anatomy • There are 3 popular ways in which aOackers perpetrate this vulnerability – Using invisible elements such as iframes – Injecting malicious javascript (or any other client side scripting language) – Leveraging a bug in Adobe Flash Player (this method is now obsolete)
- 26. AOack Anatomy • An aOacker uses the concept of layering to crat an aOack • Basically, the page that the user views, will have layers • Some of these layers will be transparent (or invisible) • The user will never know of the invisible layers and will end up making a wrong choice
- 27. AOack Anatomy • Lets first understand this basic mechanism with an example and then move on to the different ways of perpetraEng this aOack ....
- 28. AOack Anatomy Send email to all users ? Yes No Actual intented content ....
- 29. AOack Anatomy Send email to all users ? Yes No Do you want a free iPad? No Intended content .... Malicious content for clickjacking
- 30. AOack Anatomy Send email to all users ? Yes No Do you want a free iPad? No When the two are super imposed … (“Send email to all users?” Will not be visible, it is shown here for clarity)
- 31. Unvalidated Redirects & Forwards
- 32. DescripEon • Web applicaEons are having its own “flow” • Business flow needs movement between pages and sites • ApplicaEon uses same domain or cross domain redirects and forwards • It allows applicaEons to work easily and access same domain or cross domain resources (Single Sign On – leveraging)
- 33. DescripEon • HTTP requests can be GET or POST • Parameters are not validated and can lead to arbitrary redirects • This can be leveraged at ease and get exploited by an aOacker • AOacker exploits the trust and leverage the vulnerability
- 34. AOack Anatomy • As a part of root cause, there must be a redirect hole • Example, – http://foo.bank.com/login.aspx? user=xxx&page=trade.aspx • Here “page” is a vulnerable parameter • What if? Some one put page=hOp:// yahoo.com …
- 35. AOack Anatomy Attacker foo.bank.com http://foo.bank.com/login.aspx?user=xxx& page=http://yahoo.com Get redirect or JavaScript call for loading yahoo.com Vulnerability detected!!!
- 36. AOack Anatomy • What is redirect… – If server sends 302 in its HTTP response – If server sends JavaScript with certain document object calls like “location” • What will happen… – It will send browser to new location – User will stay in impression that he/she is at trusted site but that is not the case
- 37. AOack Anatomy Bank’s user foo.bank.com Login the page Login successful This is what in user’s mind… a.) URL – trusted, foo.bank.com b.) Login form - trusted
- 38. AOack Anatomy • User is doing all his acEviEes • Full trust is established and day to day work is going on • Now aOacker’s acEon comes in … • AOacker sends a mail and request to login and change password immediately as part of banking policies • AOacker acts as administrator from bank
- 39. AOack Anatomy • Magic is in the link and trust is in the mind. • User trust the URL and Link both consciously and subconsciously… • Following link will be sent. http://foo.bank.com/login.aspx?user=xxx&date=12-12-2009&trust=good& page=http://203.88.xx.xx/security.html Link is injected User is going to trust this
- 40. AOack Anatomy Click the link Get a redirect response to 203.88.XX.XX 1Link in mail
- 41. AOack Anatomy Bank’s user foo.bank.com Click the link Get a redirect response to 203.88.XX.XX 203.88.XX.XX (Attacker’s area) Bank’s user Send dummy form Trusted evil redirect 2
- 42. AOack Anatomy Bank’s user foo.bank.com Click the link Get a redirect response to 203.88.XX.XX 203.88.XX.XX (Attacker’s area) Bank’s user Send dummy form Bank’s user Send username and password Send dummy response (Thanks!) Trusted evil redirect 203.88.XX.XX (Attacker’s area) 3
- 43. AOack Anatomy Bank’s user foo.bank.com Click the link Get a redirect response to 203.88.XX.XX 203.88.XX.XX (Attacker’s area) Bank’s user Send dummy form Bank’s user Send username and password Send dummy response (Thanks!) Trusted evil redirect 203.88.XX.XX (Attacker’s area) Logs in and do money transfer 4
- 44. Conclusion