bypassing csrf protections · submit cookie pattern: –http strict transport security (hsts)...
TRANSCRIPT
![Page 1: Bypassing CSRF Protections · submit cookie pattern: –HTTP Strict Transport Security (HSTS) –ookie Prefixes (“__Host-” is the one you want) –Sign cookie –Bind cookie to](https://reader033.vdocuments.mx/reader033/viewer/2022050205/5f5873142175830cea40f974/html5/thumbnails/1.jpg)
Bypassing CSRF Protections
A Double Defeat of the Double-Submit Cookie Pattern
![Page 2: Bypassing CSRF Protections · submit cookie pattern: –HTTP Strict Transport Security (HSTS) –ookie Prefixes (“__Host-” is the one you want) –Sign cookie –Bind cookie to](https://reader033.vdocuments.mx/reader033/viewer/2022050205/5f5873142175830cea40f974/html5/thumbnails/2.jpg)
About Me
• David Johansson (@securitybits)
– Security consultant since 2007
– Helping clients design and build secure software
– Security training
– Based in London since 3 years, working for Cigital (now part of Synopsys)
![Page 3: Bypassing CSRF Protections · submit cookie pattern: –HTTP Strict Transport Security (HSTS) –ookie Prefixes (“__Host-” is the one you want) –Sign cookie –Bind cookie to](https://reader033.vdocuments.mx/reader033/viewer/2022050205/5f5873142175830cea40f974/html5/thumbnails/3.jpg)
DOUBLE-SUBMIT COOKIE PATTERN
CSRF Protection
![Page 4: Bypassing CSRF Protections · submit cookie pattern: –HTTP Strict Transport Security (HSTS) –ookie Prefixes (“__Host-” is the one you want) –Sign cookie –Bind cookie to](https://reader033.vdocuments.mx/reader033/viewer/2022050205/5f5873142175830cea40f974/html5/thumbnails/4.jpg)
Cross-site Request Forgery
• Attacker sends payload via victim’s browser
• Browser automatically includes user’s identity
![Page 5: Bypassing CSRF Protections · submit cookie pattern: –HTTP Strict Transport Security (HSTS) –ookie Prefixes (“__Host-” is the one you want) –Sign cookie –Bind cookie to](https://reader033.vdocuments.mx/reader033/viewer/2022050205/5f5873142175830cea40f974/html5/thumbnails/5.jpg)
Double-submit Cookie Pattern
• Simple CSRF protection – no server-side state
![Page 6: Bypassing CSRF Protections · submit cookie pattern: –HTTP Strict Transport Security (HSTS) –ookie Prefixes (“__Host-” is the one you want) –Sign cookie –Bind cookie to](https://reader033.vdocuments.mx/reader033/viewer/2022050205/5f5873142175830cea40f974/html5/thumbnails/6.jpg)
False Assumptions?
Cookies are different!Not really true…
![Page 7: Bypassing CSRF Protections · submit cookie pattern: –HTTP Strict Transport Security (HSTS) –ookie Prefixes (“__Host-” is the one you want) –Sign cookie –Bind cookie to](https://reader033.vdocuments.mx/reader033/viewer/2022050205/5f5873142175830cea40f974/html5/thumbnails/7.jpg)
Cookie Fixation
• What if attacker can set the CSRF cookie..?
• Cookie fixation can be done through:
– Exploiting subdomains
– Man-in-the-middle HTTP connections
![Page 8: Bypassing CSRF Protections · submit cookie pattern: –HTTP Strict Transport Security (HSTS) –ookie Prefixes (“__Host-” is the one you want) –Sign cookie –Bind cookie to](https://reader033.vdocuments.mx/reader033/viewer/2022050205/5f5873142175830cea40f974/html5/thumbnails/8.jpg)
EXPLOITING SUBDOMAINS
Double-submit Defeat #1:
![Page 9: Bypassing CSRF Protections · submit cookie pattern: –HTTP Strict Transport Security (HSTS) –ookie Prefixes (“__Host-” is the one you want) –Sign cookie –Bind cookie to](https://reader033.vdocuments.mx/reader033/viewer/2022050205/5f5873142175830cea40f974/html5/thumbnails/9.jpg)
Malicious Subdomain
• Attacker controls https://evil.example.com/
• Subdomain sets cookie for parent domain
• Includes specific path
![Page 10: Bypassing CSRF Protections · submit cookie pattern: –HTTP Strict Transport Security (HSTS) –ookie Prefixes (“__Host-” is the one you want) –Sign cookie –Bind cookie to](https://reader033.vdocuments.mx/reader033/viewer/2022050205/5f5873142175830cea40f974/html5/thumbnails/10.jpg)
Malicious Subdomain
• Attacker now controls cookies sent to https://www.example.com/submit
• Attacker’s CSRF cookie sent first due to longer path
![Page 11: Bypassing CSRF Protections · submit cookie pattern: –HTTP Strict Transport Security (HSTS) –ookie Prefixes (“__Host-” is the one you want) –Sign cookie –Bind cookie to](https://reader033.vdocuments.mx/reader033/viewer/2022050205/5f5873142175830cea40f974/html5/thumbnails/11.jpg)
Vulnerable Subdomain
• Controlling all subdomains doesn’t mean you’re safe
• XSS in any subdomain can be exploited:<script>document.cookie = “_csrf=a; Path=/submit; domain=example.com”;</script>
• So you’re using CSP? – Cookies can still be set through meta-tags ☺<meta http-equiv="set-cookie" content="_csrf=a; Path=/submit; domain=example.com">
![Page 12: Bypassing CSRF Protections · submit cookie pattern: –HTTP Strict Transport Security (HSTS) –ookie Prefixes (“__Host-” is the one you want) –Sign cookie –Bind cookie to](https://reader033.vdocuments.mx/reader033/viewer/2022050205/5f5873142175830cea40f974/html5/thumbnails/12.jpg)
MAN-IN-THE-MIDDLE ATTACKS
Double-submit Defeat #2:
![Page 13: Bypassing CSRF Protections · submit cookie pattern: –HTTP Strict Transport Security (HSTS) –ookie Prefixes (“__Host-” is the one you want) –Sign cookie –Bind cookie to](https://reader033.vdocuments.mx/reader033/viewer/2022050205/5f5873142175830cea40f974/html5/thumbnails/13.jpg)
Man-in-the-Middle Attacks
• HTTP origins can set cookies for HTTPS origins
• Even ‘secure’ cookies can be overwritten from HTTP responses*
• Attacker who MiTM any HTTP connection from victim can:
– Overwrite CSRF cookie
– Pre-empt CSRF cookie
*The new ‘Strict Secure Cookie’ specification will prevent this(https://www.chromestatus.com/feature/4506322921848832)
![Page 14: Bypassing CSRF Protections · submit cookie pattern: –HTTP Strict Transport Security (HSTS) –ookie Prefixes (“__Host-” is the one you want) –Sign cookie –Bind cookie to](https://reader033.vdocuments.mx/reader033/viewer/2022050205/5f5873142175830cea40f974/html5/thumbnails/14.jpg)
Overwrite CSRF Cookie
![Page 15: Bypassing CSRF Protections · submit cookie pattern: –HTTP Strict Transport Security (HSTS) –ookie Prefixes (“__Host-” is the one you want) –Sign cookie –Bind cookie to](https://reader033.vdocuments.mx/reader033/viewer/2022050205/5f5873142175830cea40f974/html5/thumbnails/15.jpg)
Pre-empt CSRF Cookie
![Page 16: Bypassing CSRF Protections · submit cookie pattern: –HTTP Strict Transport Security (HSTS) –ookie Prefixes (“__Host-” is the one you want) –Sign cookie –Bind cookie to](https://reader033.vdocuments.mx/reader033/viewer/2022050205/5f5873142175830cea40f974/html5/thumbnails/16.jpg)
Bypassing CSRF Protection
• After fixating CSRF cookie, attacker can create successful CSRF payload
![Page 17: Bypassing CSRF Protections · submit cookie pattern: –HTTP Strict Transport Security (HSTS) –ookie Prefixes (“__Host-” is the one you want) –Sign cookie –Bind cookie to](https://reader033.vdocuments.mx/reader033/viewer/2022050205/5f5873142175830cea40f974/html5/thumbnails/17.jpg)
Mitigations
• Additional defenses to strengthen double-submit cookie pattern:
– HTTP Strict Transport Security (HSTS)
– Cookie Prefixes (“__Host-” is the one you want)
– Sign cookie
– Bind cookie to user
– Use custom HTTP header to send request token
![Page 18: Bypassing CSRF Protections · submit cookie pattern: –HTTP Strict Transport Security (HSTS) –ookie Prefixes (“__Host-” is the one you want) –Sign cookie –Bind cookie to](https://reader033.vdocuments.mx/reader033/viewer/2022050205/5f5873142175830cea40f974/html5/thumbnails/18.jpg)
ANGULAR & CSURF
This is not the token you’re looking for…
![Page 19: Bypassing CSRF Protections · submit cookie pattern: –HTTP Strict Transport Security (HSTS) –ookie Prefixes (“__Host-” is the one you want) –Sign cookie –Bind cookie to](https://reader033.vdocuments.mx/reader033/viewer/2022050205/5f5873142175830cea40f974/html5/thumbnails/19.jpg)
AngularJS CSRF Protection
• AngularJS $http service has built-in support to help prevent CSRF*
• Reads token from cookie (XSRF-TOKEN) and sets custom HTTP header (X-XSRF-TOKEN)
• Server needs to implement token validation
• Can be used as double-submit cookie pattern if server compares cookie value with HTTP header
*https://blogs.synopsys.com/software-integrity/2017/02/24/angularjs-security-http-service/
![Page 20: Bypassing CSRF Protections · submit cookie pattern: –HTTP Strict Transport Security (HSTS) –ookie Prefixes (“__Host-” is the one you want) –Sign cookie –Bind cookie to](https://reader033.vdocuments.mx/reader033/viewer/2022050205/5f5873142175830cea40f974/html5/thumbnails/20.jpg)
AngularJS & csurf
![Page 21: Bypassing CSRF Protections · submit cookie pattern: –HTTP Strict Transport Security (HSTS) –ookie Prefixes (“__Host-” is the one you want) –Sign cookie –Bind cookie to](https://reader033.vdocuments.mx/reader033/viewer/2022050205/5f5873142175830cea40f974/html5/thumbnails/21.jpg)
Default Value Function
Body and query parameters checked first!
![Page 22: Bypassing CSRF Protections · submit cookie pattern: –HTTP Strict Transport Security (HSTS) –ookie Prefixes (“__Host-” is the one you want) –Sign cookie –Bind cookie to](https://reader033.vdocuments.mx/reader033/viewer/2022050205/5f5873142175830cea40f974/html5/thumbnails/22.jpg)
Exploit Default Value Function
CSRF Defense Bypassed=
![Page 23: Bypassing CSRF Protections · submit cookie pattern: –HTTP Strict Transport Security (HSTS) –ookie Prefixes (“__Host-” is the one you want) –Sign cookie –Bind cookie to](https://reader033.vdocuments.mx/reader033/viewer/2022050205/5f5873142175830cea40f974/html5/thumbnails/23.jpg)
Specify Custom Value Function
![Page 24: Bypassing CSRF Protections · submit cookie pattern: –HTTP Strict Transport Security (HSTS) –ookie Prefixes (“__Host-” is the one you want) –Sign cookie –Bind cookie to](https://reader033.vdocuments.mx/reader033/viewer/2022050205/5f5873142175830cea40f974/html5/thumbnails/24.jpg)
Summary
• Double-submit Cookie Pattern based on partially incorrect assumptions
• Integrity protection of cookies is very weak
• Attackers can often force cookies upon other users
• Be careful which token you validate against
• Additional mitigations often required to strengthen the defense
![Page 25: Bypassing CSRF Protections · submit cookie pattern: –HTTP Strict Transport Security (HSTS) –ookie Prefixes (“__Host-” is the one you want) –Sign cookie –Bind cookie to](https://reader033.vdocuments.mx/reader033/viewer/2022050205/5f5873142175830cea40f974/html5/thumbnails/25.jpg)
Thank You!
Questions?
@securitybits