Download - Cross Site Request Forgery Vulnerabilities
![Page 1: Cross Site Request Forgery Vulnerabilities](https://reader036.vdocuments.mx/reader036/viewer/2022082605/554a212bb4c9058c5d8b5925/html5/thumbnails/1.jpg)
Copyright © 2008 - The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License.
The OWASP Foundation
OWASP
http://www.owasp.org
Cross Site Request Forgery Deep Dive In
Cincinnati Chapter MeetingMay 27th , [email protected]
![Page 2: Cross Site Request Forgery Vulnerabilities](https://reader036.vdocuments.mx/reader036/viewer/2022082605/554a212bb4c9058c5d8b5925/html5/thumbnails/2.jpg)
2OWASP
Agenda
1. TBD2. OWASP Publications3. OWASP Tools Demo By Blaine Wilson4. OWASP Cincinnati Local Chapter5. Final Questions
![Page 3: Cross Site Request Forgery Vulnerabilities](https://reader036.vdocuments.mx/reader036/viewer/2022082605/554a212bb4c9058c5d8b5925/html5/thumbnails/3.jpg)
3OWASP
Place of CSRF in the OWASP Top 10 2007
1. Cross Site Scripting (XSS)2. Injection Flaws3. Insecure Remote File Include4. Insecure Direct Object Reference5. Cross Site Request Forgery (CSRF)6. Information Leakage and Improper Error Handling7. Broken Authentication and Session Management8. Insecure Cryptographic Storage9. Insecure Communications10. Failure to Restrict URL Access
http://www.owasp.org/index.php/Top_10
![Page 4: Cross Site Request Forgery Vulnerabilities](https://reader036.vdocuments.mx/reader036/viewer/2022082605/554a212bb4c9058c5d8b5925/html5/thumbnails/4.jpg)
4OWASP
Description of CSRF threat and the impact
CSRF forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated.
An attacker may force the users of a web application to execute actions of the attackers choosing via social engineering
![Page 5: Cross Site Request Forgery Vulnerabilities](https://reader036.vdocuments.mx/reader036/viewer/2022082605/554a212bb4c9058c5d8b5925/html5/thumbnails/5.jpg)
5OWASP
CSRF Causes
The way CSRF is accomplished relies on the following facts:1) Web browser behavior regarding the handling of session-related information such as cookies and http authentication information;2) Knowledge of valid web application URLs on the side of the attacker;3) Application session management relying only on information which is known by the browser;4) Existence of HTML tags whose presence cause immediate access to an http[s] resource; for example the image tag img.
![Page 6: Cross Site Request Forgery Vulnerabilities](https://reader036.vdocuments.mx/reader036/viewer/2022082605/554a212bb4c9058c5d8b5925/html5/thumbnails/6.jpg)
6OWASP
Threat Scenario
![Page 7: Cross Site Request Forgery Vulnerabilities](https://reader036.vdocuments.mx/reader036/viewer/2022082605/554a212bb4c9058c5d8b5925/html5/thumbnails/7.jpg)
7OWASP
CSRF is a Same Origin Exploit
The GET request could be originated in several different ways:
1. by the user, who is using the actual web application;
2. by the user, who types the URL it directly in the browser;
3. by the user, who follows a link (external to the application) pointing to the URL.
![Page 8: Cross Site Request Forgery Vulnerabilities](https://reader036.vdocuments.mx/reader036/viewer/2022082605/554a212bb4c9058c5d8b5925/html5/thumbnails/8.jpg)
8OWASP
CSRF attack vectors
![Page 9: Cross Site Request Forgery Vulnerabilities](https://reader036.vdocuments.mx/reader036/viewer/2022082605/554a212bb4c9058c5d8b5925/html5/thumbnails/9.jpg)
9OWASP
Example: Webgoat/?
![Page 10: Cross Site Request Forgery Vulnerabilities](https://reader036.vdocuments.mx/reader036/viewer/2022082605/554a212bb4c9058c5d8b5925/html5/thumbnails/10.jpg)
10OWASP
CSRF Countermeasures: Client/User
Some mitigating actions are: 1. Logoff immediately after using a web application 2. Do not allow your browser to save
username/passwords, and do not allow sites to “remember” your login
3. Do not use the same browser to access sensitive applications and to surf freely the Internet; if you have to do both things at the same machine, do them with separate browsers.
4. Integrated HTML-enabled mail/browser, newsreader/browser environments pose additional risks since simply viewing a mail message or a news message might lead to the execution of an attack.
![Page 11: Cross Site Request Forgery Vulnerabilities](https://reader036.vdocuments.mx/reader036/viewer/2022082605/554a212bb4c9058c5d8b5925/html5/thumbnails/11.jpg)
11OWASP
CSRF Countermeasures: Developers
Add session-related information to the URL Use POST instead of GET Automatic logout mechanisms Rely on Referer headers
![Page 12: Cross Site Request Forgery Vulnerabilities](https://reader036.vdocuments.mx/reader036/viewer/2022082605/554a212bb4c9058c5d8b5925/html5/thumbnails/12.jpg)
12OWASP
Black Box testing and example
1. Llet u the URL being tested; for example, u = http://www.example.com/action
2. build a html page containing the http request referencing url u (specifying all relevant parameters; in case of http GET this is straightforward, while to a POST request you need to resort to some Javascript);
3. make sure that the valid user is logged on the application;
4. induce him into following the link pointing to the to-be-tested URL (social engineering involved if you cannot impersonate the user yourself);
5. observe the result, i.e. check if the web server executed the request.
![Page 13: Cross Site Request Forgery Vulnerabilities](https://reader036.vdocuments.mx/reader036/viewer/2022082605/554a212bb4c9058c5d8b5925/html5/thumbnails/13.jpg)
13OWASP
Gray Box testing and example
Audit the application to ascertain if its session management is vulnerable.
Check If session management relies only on client side values
![Page 14: Cross Site Request Forgery Vulnerabilities](https://reader036.vdocuments.mx/reader036/viewer/2022082605/554a212bb4c9058c5d8b5925/html5/thumbnails/14.jpg)
14OWASP
Tools
![Page 15: Cross Site Request Forgery Vulnerabilities](https://reader036.vdocuments.mx/reader036/viewer/2022082605/554a212bb4c9058c5d8b5925/html5/thumbnails/15.jpg)
15OWASP
Difference Between XSS and CSRF