owasp khartoum - csrf session - abdullah ulber - january 2013
DESCRIPTION
Abdullah Ulber works at Banan IT as a senior software architect, web developer and education manager. He looks back to more than ten years of professional software development, specialising in web applications based on ASP.NET MVC, HTML5 and Silverlight. He is a keen follower of all trends in the web world and enjoys passing on his knowledge in captivating presentations and courses. Outside his work, he is an organising member of the OWASP local chapter in Khartoum. Before his move to Sudan, Abdullah was the co-organiser of the Swiss Olympiad in Informatics and the team leader of the Swiss delegation to the International Olympiads in Informatics from 1998 to 2005. He holds a master’s degree in computer science from ETH Zurich. This session was held on Saturday 12/01/2013. Check our best shots from the event on our Facebook group: http://fb.com/groups/OWASP.KhartoumTRANSCRIPT
![Page 1: OWASP Khartoum - CSRF Session - Abdullah Ulber - January 2013](https://reader036.vdocuments.mx/reader036/viewer/2022081506/5575c416d8b42a312a8b4c06/html5/thumbnails/1.jpg)
![Page 2: OWASP Khartoum - CSRF Session - Abdullah Ulber - January 2013](https://reader036.vdocuments.mx/reader036/viewer/2022081506/5575c416d8b42a312a8b4c06/html5/thumbnails/2.jpg)
About the Speaker
Swiss Olympiad in Informatics
MSc in Computer Science
Abdullah Ulber
Senior Software Architect
Web Developer
Volunteer at OWASP Khartoum
![Page 3: OWASP Khartoum - CSRF Session - Abdullah Ulber - January 2013](https://reader036.vdocuments.mx/reader036/viewer/2022081506/5575c416d8b42a312a8b4c06/html5/thumbnails/3.jpg)
OWASP Mission
"to make application security visibleso that people and organisations can make informed decisions about application security risks"
Lots of demos Lots of diagrams
Lots of stuff covered“Everything you ever wanted
to know about CSRF ”
![Page 4: OWASP Khartoum - CSRF Session - Abdullah Ulber - January 2013](https://reader036.vdocuments.mx/reader036/viewer/2022081506/5575c416d8b42a312a8b4c06/html5/thumbnails/4.jpg)
What OWASP is NOT
Hogwarts School of Witchcraft And Wizardry
![Page 5: OWASP Khartoum - CSRF Session - Abdullah Ulber - January 2013](https://reader036.vdocuments.mx/reader036/viewer/2022081506/5575c416d8b42a312a8b4c06/html5/thumbnails/5.jpg)
Product Neutrality
“OWASP does not endorse or recommend commercial products or services, allowing our community to remain vendor neutral with the collective wisdom of the best minds in software security worldwide.”
![Page 6: OWASP Khartoum - CSRF Session - Abdullah Ulber - January 2013](https://reader036.vdocuments.mx/reader036/viewer/2022081506/5575c416d8b42a312a8b4c06/html5/thumbnails/6.jpg)
Introduction Motivation CharacterStudy
How CSRF Works Protections
![Page 7: OWASP Khartoum - CSRF Session - Abdullah Ulber - January 2013](https://reader036.vdocuments.mx/reader036/viewer/2022081506/5575c416d8b42a312a8b4c06/html5/thumbnails/7.jpg)
INTRODUCTION
![Page 8: OWASP Khartoum - CSRF Session - Abdullah Ulber - January 2013](https://reader036.vdocuments.mx/reader036/viewer/2022081506/5575c416d8b42a312a8b4c06/html5/thumbnails/8.jpg)
CSRF, pronounced "sea surf"
First mention in 2001 by Peter Watkins.
“I'm afraid CSRF is going to be a mess to deal with in many cases. Like trying to tame the seas.”
The attack withthe coolest name.
![Page 9: OWASP Khartoum - CSRF Session - Abdullah Ulber - January 2013](https://reader036.vdocuments.mx/reader036/viewer/2022081506/5575c416d8b42a312a8b4c06/html5/thumbnails/9.jpg)
A Magic Trick
![Page 10: OWASP Khartoum - CSRF Session - Abdullah Ulber - January 2013](https://reader036.vdocuments.mx/reader036/viewer/2022081506/5575c416d8b42a312a8b4c06/html5/thumbnails/10.jpg)
MOTIVATION
![Page 11: OWASP Khartoum - CSRF Session - Abdullah Ulber - January 2013](https://reader036.vdocuments.mx/reader036/viewer/2022081506/5575c416d8b42a312a8b4c06/html5/thumbnails/11.jpg)
Predictions
OWASP 2007: “CSRF is more prevalent than its current ranking would indicate, and it can be highly dangerous.”
MITRE CVE Trends, May 2007:“… there will likely be a significant increase in CSRF reports.”
WhiteHat Security, July 2007:“The Sleeping Giant”
2007
![Page 12: OWASP Khartoum - CSRF Session - Abdullah Ulber - January 2013](https://reader036.vdocuments.mx/reader036/viewer/2022081506/5575c416d8b42a312a8b4c06/html5/thumbnails/12.jpg)
Interest over Time
2005 2006 2007 2008 2009 2010 2011 2012
![Page 13: OWASP Khartoum - CSRF Session - Abdullah Ulber - January 2013](https://reader036.vdocuments.mx/reader036/viewer/2022081506/5575c416d8b42a312a8b4c06/html5/thumbnails/13.jpg)
Unlike XSS and SQL Injection
2005 2006 2007 2008 2009 2010 2011 2012
SQL Injection
XSS
![Page 14: OWASP Khartoum - CSRF Session - Abdullah Ulber - January 2013](https://reader036.vdocuments.mx/reader036/viewer/2022081506/5575c416d8b42a312a8b4c06/html5/thumbnails/14.jpg)
Let’s Be Fair
2005 2006 2007 2008 2009 2010 2011 2012
SQL Injection
XSS
CSRF
![Page 15: OWASP Khartoum - CSRF Session - Abdullah Ulber - January 2013](https://reader036.vdocuments.mx/reader036/viewer/2022081506/5575c416d8b42a312a8b4c06/html5/thumbnails/15.jpg)
Total 2011 Q1 2012 Q2 2012 Q3 2012
14 1021 12
24 38
43
24
30
4027
35
3212 9
29 CSRF
Directory Traversal
XSS
SQL Injection
CSRF and XSS: The Evil Twins
Statistics by Firehost
![Page 16: OWASP Khartoum - CSRF Session - Abdullah Ulber - January 2013](https://reader036.vdocuments.mx/reader036/viewer/2022081506/5575c416d8b42a312a8b4c06/html5/thumbnails/16.jpg)
In the News
![Page 17: OWASP Khartoum - CSRF Session - Abdullah Ulber - January 2013](https://reader036.vdocuments.mx/reader036/viewer/2022081506/5575c416d8b42a312a8b4c06/html5/thumbnails/17.jpg)
Strike #1 Feb 2008
![Page 18: OWASP Khartoum - CSRF Session - Abdullah Ulber - January 2013](https://reader036.vdocuments.mx/reader036/viewer/2022081506/5575c416d8b42a312a8b4c06/html5/thumbnails/18.jpg)
Strike #2 Sept 2008
![Page 19: OWASP Khartoum - CSRF Session - Abdullah Ulber - January 2013](https://reader036.vdocuments.mx/reader036/viewer/2022081506/5575c416d8b42a312a8b4c06/html5/thumbnails/19.jpg)
Strike #3 May 2010
![Page 20: OWASP Khartoum - CSRF Session - Abdullah Ulber - January 2013](https://reader036.vdocuments.mx/reader036/viewer/2022081506/5575c416d8b42a312a8b4c06/html5/thumbnails/20.jpg)
A Career Alternative? Aug 2012
![Page 21: OWASP Khartoum - CSRF Session - Abdullah Ulber - January 2013](https://reader036.vdocuments.mx/reader036/viewer/2022081506/5575c416d8b42a312a8b4c06/html5/thumbnails/21.jpg)
More Victims
cPanelosCommerceAmazonEbayGmail… and countless more
![Page 22: OWASP Khartoum - CSRF Session - Abdullah Ulber - January 2013](https://reader036.vdocuments.mx/reader036/viewer/2022081506/5575c416d8b42a312a8b4c06/html5/thumbnails/22.jpg)
A CHARACTER STUDY
![Page 23: OWASP Khartoum - CSRF Session - Abdullah Ulber - January 2013](https://reader036.vdocuments.mx/reader036/viewer/2022081506/5575c416d8b42a312a8b4c06/html5/thumbnails/23.jpg)
Remote Control
![Page 24: OWASP Khartoum - CSRF Session - Abdullah Ulber - January 2013](https://reader036.vdocuments.mx/reader036/viewer/2022081506/5575c416d8b42a312a8b4c06/html5/thumbnails/24.jpg)
No Damage Ceiling
Purchase of unwanted/unexpected items
Change the “Ship To:” address
Password Reset / User Account modification
Add contact or “friend”
![Page 25: OWASP Khartoum - CSRF Session - Abdullah Ulber - January 2013](https://reader036.vdocuments.mx/reader036/viewer/2022081506/5575c416d8b42a312a8b4c06/html5/thumbnails/25.jpg)
Silent but Deadly
No browser warnings
No popups
No unusual behaviour whatsoever
![Page 26: OWASP Khartoum - CSRF Session - Abdullah Ulber - January 2013](https://reader036.vdocuments.mx/reader036/viewer/2022081506/5575c416d8b42a312a8b4c06/html5/thumbnails/26.jpg)
Easily Mountable
No DNS manipulations
No wire-tapping
“Even a monkey can do it.”
![Page 27: OWASP Khartoum - CSRF Session - Abdullah Ulber - January 2013](https://reader036.vdocuments.mx/reader036/viewer/2022081506/5575c416d8b42a312a8b4c06/html5/thumbnails/27.jpg)
Sneaky
![Page 28: OWASP Khartoum - CSRF Session - Abdullah Ulber - January 2013](https://reader036.vdocuments.mx/reader036/viewer/2022081506/5575c416d8b42a312a8b4c06/html5/thumbnails/28.jpg)
Sneaky
![Page 29: OWASP Khartoum - CSRF Session - Abdullah Ulber - January 2013](https://reader036.vdocuments.mx/reader036/viewer/2022081506/5575c416d8b42a312a8b4c06/html5/thumbnails/29.jpg)
Intranet Penetration
![Page 30: OWASP Khartoum - CSRF Session - Abdullah Ulber - January 2013](https://reader036.vdocuments.mx/reader036/viewer/2022081506/5575c416d8b42a312a8b4c06/html5/thumbnails/30.jpg)
Administration Areas
![Page 31: OWASP Khartoum - CSRF Session - Abdullah Ulber - January 2013](https://reader036.vdocuments.mx/reader036/viewer/2022081506/5575c416d8b42a312a8b4c06/html5/thumbnails/31.jpg)
Underestimated
Hard to detect
CSRF attacks fly under radar
Under-reported
![Page 32: OWASP Khartoum - CSRF Session - Abdullah Ulber - January 2013](https://reader036.vdocuments.mx/reader036/viewer/2022081506/5575c416d8b42a312a8b4c06/html5/thumbnails/32.jpg)
Unprotected by Default
Unlike XSS and SQL Injection
1. Awareness of the threat
2. Knowledge of the protection
3. Use of protection
![Page 33: OWASP Khartoum - CSRF Session - Abdullah Ulber - January 2013](https://reader036.vdocuments.mx/reader036/viewer/2022081506/5575c416d8b42a312a8b4c06/html5/thumbnails/33.jpg)
A Toxic Mix
Remote control without damage ceiling
Silent But deadly
Sneaky
Underestimated
Unprotected by default
![Page 34: OWASP Khartoum - CSRF Session - Abdullah Ulber - January 2013](https://reader036.vdocuments.mx/reader036/viewer/2022081506/5575c416d8b42a312a8b4c06/html5/thumbnails/34.jpg)
HOW CSRF WORKS
![Page 35: OWASP Khartoum - CSRF Session - Abdullah Ulber - January 2013](https://reader036.vdocuments.mx/reader036/viewer/2022081506/5575c416d8b42a312a8b4c06/html5/thumbnails/35.jpg)
Internet 101
![Page 36: OWASP Khartoum - CSRF Session - Abdullah Ulber - January 2013](https://reader036.vdocuments.mx/reader036/viewer/2022081506/5575c416d8b42a312a8b4c06/html5/thumbnails/36.jpg)
GET
![Page 37: OWASP Khartoum - CSRF Session - Abdullah Ulber - January 2013](https://reader036.vdocuments.mx/reader036/viewer/2022081506/5575c416d8b42a312a8b4c06/html5/thumbnails/37.jpg)
POST
![Page 38: OWASP Khartoum - CSRF Session - Abdullah Ulber - January 2013](https://reader036.vdocuments.mx/reader036/viewer/2022081506/5575c416d8b42a312a8b4c06/html5/thumbnails/38.jpg)
Regular Browsing
link
form
link
form
Browser Web ServerGET
GET
POST
![Page 39: OWASP Khartoum - CSRF Session - Abdullah Ulber - January 2013](https://reader036.vdocuments.mx/reader036/viewer/2022081506/5575c416d8b42a312a8b4c06/html5/thumbnails/39.jpg)
User Identity
![Page 40: OWASP Khartoum - CSRF Session - Abdullah Ulber - January 2013](https://reader036.vdocuments.mx/reader036/viewer/2022081506/5575c416d8b42a312a8b4c06/html5/thumbnails/40.jpg)
On the Server: Session State
3059750700012299210
![Page 41: OWASP Khartoum - CSRF Session - Abdullah Ulber - January 2013](https://reader036.vdocuments.mx/reader036/viewer/2022081506/5575c416d8b42a312a8b4c06/html5/thumbnails/41.jpg)
On the Client: Cookies
cnn.com
owasp.sd
3059750700
012299210
![Page 42: OWASP Khartoum - CSRF Session - Abdullah Ulber - January 2013](https://reader036.vdocuments.mx/reader036/viewer/2022081506/5575c416d8b42a312a8b4c06/html5/thumbnails/42.jpg)
Regular Browsing With Identity
Browser Web Server
link
form
GET
POST
![Page 43: OWASP Khartoum - CSRF Session - Abdullah Ulber - January 2013](https://reader036.vdocuments.mx/reader036/viewer/2022081506/5575c416d8b42a312a8b4c06/html5/thumbnails/43.jpg)
Prepare For Attack
![Page 44: OWASP Khartoum - CSRF Session - Abdullah Ulber - January 2013](https://reader036.vdocuments.mx/reader036/viewer/2022081506/5575c416d8b42a312a8b4c06/html5/thumbnails/44.jpg)
POST-Based CSRFBrowser Web Server
form
Evil Web Server
JavaScript
POST
POST
![Page 45: OWASP Khartoum - CSRF Session - Abdullah Ulber - January 2013](https://reader036.vdocuments.mx/reader036/viewer/2022081506/5575c416d8b42a312a8b4c06/html5/thumbnails/45.jpg)
From the Server’s Perspective
Web Server
Confused deputy problem
![Page 46: OWASP Khartoum - CSRF Session - Abdullah Ulber - January 2013](https://reader036.vdocuments.mx/reader036/viewer/2022081506/5575c416d8b42a312a8b4c06/html5/thumbnails/46.jpg)
GET-Based CSRF (Poor Man’s Version)
Browser Web Server
form
Evil Web Server
image
GET
POST
![Page 47: OWASP Khartoum - CSRF Session - Abdullah Ulber - January 2013](https://reader036.vdocuments.mx/reader036/viewer/2022081506/5575c416d8b42a312a8b4c06/html5/thumbnails/47.jpg)
PROTECTIONS
![Page 48: OWASP Khartoum - CSRF Session - Abdullah Ulber - January 2013](https://reader036.vdocuments.mx/reader036/viewer/2022081506/5575c416d8b42a312a8b4c06/html5/thumbnails/48.jpg)
Ineffective Protections
![Page 49: OWASP Khartoum - CSRF Session - Abdullah Ulber - January 2013](https://reader036.vdocuments.mx/reader036/viewer/2022081506/5575c416d8b42a312a8b4c06/html5/thumbnails/49.jpg)
Referer Header
![Page 50: OWASP Khartoum - CSRF Session - Abdullah Ulber - January 2013](https://reader036.vdocuments.mx/reader036/viewer/2022081506/5575c416d8b42a312a8b4c06/html5/thumbnails/50.jpg)
The Server’s Perspective with Referer
Web Serverreferer
![Page 51: OWASP Khartoum - CSRF Session - Abdullah Ulber - January 2013](https://reader036.vdocuments.mx/reader036/viewer/2022081506/5575c416d8b42a312a8b4c06/html5/thumbnails/51.jpg)
Corporate Information Leaks
link
referer
![Page 52: OWASP Khartoum - CSRF Session - Abdullah Ulber - January 2013](https://reader036.vdocuments.mx/reader036/viewer/2022081506/5575c416d8b42a312a8b4c06/html5/thumbnails/52.jpg)
Behaviour Tracking
Tracking site
Tracking cookie
![Page 53: OWASP Khartoum - CSRF Session - Abdullah Ulber - January 2013](https://reader036.vdocuments.mx/reader036/viewer/2022081506/5575c416d8b42a312a8b4c06/html5/thumbnails/53.jpg)
Real-Life Behaviour Tracking
![Page 54: OWASP Khartoum - CSRF Session - Abdullah Ulber - January 2013](https://reader036.vdocuments.mx/reader036/viewer/2022081506/5575c416d8b42a312a8b4c06/html5/thumbnails/54.jpg)
A Helpful Venn Diagram
![Page 55: OWASP Khartoum - CSRF Session - Abdullah Ulber - January 2013](https://reader036.vdocuments.mx/reader036/viewer/2022081506/5575c416d8b42a312a8b4c06/html5/thumbnails/55.jpg)
HTTPS
![Page 56: OWASP Khartoum - CSRF Session - Abdullah Ulber - January 2013](https://reader036.vdocuments.mx/reader036/viewer/2022081506/5575c416d8b42a312a8b4c06/html5/thumbnails/56.jpg)
HTTPSBrowser Web Server
Evil Web Server
JavaScript
POST
formPOST
protected
![Page 57: OWASP Khartoum - CSRF Session - Abdullah Ulber - January 2013](https://reader036.vdocuments.mx/reader036/viewer/2022081506/5575c416d8b42a312a8b4c06/html5/thumbnails/57.jpg)
Protected Cookies
httpOnly “secure”
invisible to JavaScript sent only via HTTPS
![Page 58: OWASP Khartoum - CSRF Session - Abdullah Ulber - January 2013](https://reader036.vdocuments.mx/reader036/viewer/2022081506/5575c416d8b42a312a8b4c06/html5/thumbnails/58.jpg)
Protected Cookies: httpOnlyBrowser Web Server
Evil Web Server
JavaScript
POSTcan’t read
formPOST
can’t read
![Page 59: OWASP Khartoum - CSRF Session - Abdullah Ulber - January 2013](https://reader036.vdocuments.mx/reader036/viewer/2022081506/5575c416d8b42a312a8b4c06/html5/thumbnails/59.jpg)
Protected Cookies: secureBrowser Web Server
Evil Web Server
JavaScript
POST
formPOST
protected
![Page 60: OWASP Khartoum - CSRF Session - Abdullah Ulber - January 2013](https://reader036.vdocuments.mx/reader036/viewer/2022081506/5575c416d8b42a312a8b4c06/html5/thumbnails/60.jpg)
Ineffective Protections: Summary
Referer Header
HTTPS Secure Cookies
Would be the perfect solution but suffers from privacy issues.
Good in their own respects, but unfortunately do not help with CSRF.
![Page 61: OWASP Khartoum - CSRF Session - Abdullah Ulber - January 2013](https://reader036.vdocuments.mx/reader036/viewer/2022081506/5575c416d8b42a312a8b4c06/html5/thumbnails/61.jpg)
Effective Protections
![Page 62: OWASP Khartoum - CSRF Session - Abdullah Ulber - January 2013](https://reader036.vdocuments.mx/reader036/viewer/2022081506/5575c416d8b42a312a8b4c06/html5/thumbnails/62.jpg)
Protections by Location
BrowserUser App
Server
Server-sideClient-side
![Page 63: OWASP Khartoum - CSRF Session - Abdullah Ulber - January 2013](https://reader036.vdocuments.mx/reader036/viewer/2022081506/5575c416d8b42a312a8b4c06/html5/thumbnails/63.jpg)
Client-Side Protections
![Page 64: OWASP Khartoum - CSRF Session - Abdullah Ulber - January 2013](https://reader036.vdocuments.mx/reader036/viewer/2022081506/5575c416d8b42a312a8b4c06/html5/thumbnails/64.jpg)
Separation of Concerns
![Page 65: OWASP Khartoum - CSRF Session - Abdullah Ulber - January 2013](https://reader036.vdocuments.mx/reader036/viewer/2022081506/5575c416d8b42a312a8b4c06/html5/thumbnails/65.jpg)
Use of Separate Browsers
facebook email everything else
![Page 66: OWASP Khartoum - CSRF Session - Abdullah Ulber - January 2013](https://reader036.vdocuments.mx/reader036/viewer/2022081506/5575c416d8b42a312a8b4c06/html5/thumbnails/66.jpg)
Use of Separate BrowsersBrowser A Web Server
form
Evil Web Server
JavaScript
POST
POST
Browser B
![Page 67: OWASP Khartoum - CSRF Session - Abdullah Ulber - January 2013](https://reader036.vdocuments.mx/reader036/viewer/2022081506/5575c416d8b42a312a8b4c06/html5/thumbnails/67.jpg)
Sign Out
![Page 68: OWASP Khartoum - CSRF Session - Abdullah Ulber - January 2013](https://reader036.vdocuments.mx/reader036/viewer/2022081506/5575c416d8b42a312a8b4c06/html5/thumbnails/68.jpg)
Sign OutBrowser Web Server
form
Evil Web Server
JavaScript
POST
POST
![Page 69: OWASP Khartoum - CSRF Session - Abdullah Ulber - January 2013](https://reader036.vdocuments.mx/reader036/viewer/2022081506/5575c416d8b42a312a8b4c06/html5/thumbnails/69.jpg)
Cookie Expiry
![Page 70: OWASP Khartoum - CSRF Session - Abdullah Ulber - January 2013](https://reader036.vdocuments.mx/reader036/viewer/2022081506/5575c416d8b42a312a8b4c06/html5/thumbnails/70.jpg)
Cookie ExpiryBrowser Web Server
form
Evil Web Server
JavaScript
POST
POST
![Page 71: OWASP Khartoum - CSRF Session - Abdullah Ulber - January 2013](https://reader036.vdocuments.mx/reader036/viewer/2022081506/5575c416d8b42a312a8b4c06/html5/thumbnails/71.jpg)
Anti-CSRF Browser Add-Ons
CsFire
NoScript: Application Boundaries Enforcer (ABE)
Request Policy
![Page 72: OWASP Khartoum - CSRF Session - Abdullah Ulber - January 2013](https://reader036.vdocuments.mx/reader036/viewer/2022081506/5575c416d8b42a312a8b4c06/html5/thumbnails/72.jpg)
Anti-CSRF Browser Add-Ons (CsFire)
Browser Web Server
form
Evil Web Server
JavaScript
POST
POST
![Page 73: OWASP Khartoum - CSRF Session - Abdullah Ulber - January 2013](https://reader036.vdocuments.mx/reader036/viewer/2022081506/5575c416d8b42a312a8b4c06/html5/thumbnails/73.jpg)
Anti-CSRF Browser Add-Ons (Request Policy)
Browser Web Server
form
Evil Web Server
JavaScript
POST
![Page 74: OWASP Khartoum - CSRF Session - Abdullah Ulber - January 2013](https://reader036.vdocuments.mx/reader036/viewer/2022081506/5575c416d8b42a312a8b4c06/html5/thumbnails/74.jpg)
Server-Side Protections
The server has to defend itself.
Don’t rely on the client.
Let the client prove its legitimate origin.
![Page 75: OWASP Khartoum - CSRF Session - Abdullah Ulber - January 2013](https://reader036.vdocuments.mx/reader036/viewer/2022081506/5575c416d8b42a312a8b4c06/html5/thumbnails/75.jpg)
The Burden of Proof
Web Server
+ proof
![Page 76: OWASP Khartoum - CSRF Session - Abdullah Ulber - January 2013](https://reader036.vdocuments.mx/reader036/viewer/2022081506/5575c416d8b42a312a8b4c06/html5/thumbnails/76.jpg)
Re-Authentication
![Page 77: OWASP Khartoum - CSRF Session - Abdullah Ulber - January 2013](https://reader036.vdocuments.mx/reader036/viewer/2022081506/5575c416d8b42a312a8b4c06/html5/thumbnails/77.jpg)
Re-AuthenticationBrowser Web Server
form
Evil Web Server
JavaScript
password
POST
?
![Page 78: OWASP Khartoum - CSRF Session - Abdullah Ulber - January 2013](https://reader036.vdocuments.mx/reader036/viewer/2022081506/5575c416d8b42a312a8b4c06/html5/thumbnails/78.jpg)
CAPTCHA
Very unfriendly.
Only proves that you are human.
![Page 79: OWASP Khartoum - CSRF Session - Abdullah Ulber - January 2013](https://reader036.vdocuments.mx/reader036/viewer/2022081506/5575c416d8b42a312a8b4c06/html5/thumbnails/79.jpg)
CAPTCHABrowser Web Server
form
Evil Web Server
JavaScript
solution
POST
?
![Page 80: OWASP Khartoum - CSRF Session - Abdullah Ulber - January 2013](https://reader036.vdocuments.mx/reader036/viewer/2022081506/5575c416d8b42a312a8b4c06/html5/thumbnails/80.jpg)
Dual-Factor Authentication
![Page 81: OWASP Khartoum - CSRF Session - Abdullah Ulber - January 2013](https://reader036.vdocuments.mx/reader036/viewer/2022081506/5575c416d8b42a312a8b4c06/html5/thumbnails/81.jpg)
Dual-Factor AuthenticationBrowser Web Server
form
Evil Web Server
JavaScript
POST
POST
![Page 82: OWASP Khartoum - CSRF Session - Abdullah Ulber - January 2013](https://reader036.vdocuments.mx/reader036/viewer/2022081506/5575c416d8b42a312a8b4c06/html5/thumbnails/82.jpg)
Request Validation Token
![Page 83: OWASP Khartoum - CSRF Session - Abdullah Ulber - January 2013](https://reader036.vdocuments.mx/reader036/viewer/2022081506/5575c416d8b42a312a8b4c06/html5/thumbnails/83.jpg)
Request Validation TokenBrowser Web Server
form
Evil Web Server
JavaScript
? POST
POST
can’t read
![Page 84: OWASP Khartoum - CSRF Session - Abdullah Ulber - January 2013](https://reader036.vdocuments.mx/reader036/viewer/2022081506/5575c416d8b42a312a8b4c06/html5/thumbnails/84.jpg)
Double Submit Token
via cookievia form
aka “Synchroniser Token Pattern” (OWASP terminology)
![Page 85: OWASP Khartoum - CSRF Session - Abdullah Ulber - January 2013](https://reader036.vdocuments.mx/reader036/viewer/2022081506/5575c416d8b42a312a8b4c06/html5/thumbnails/85.jpg)
Double Submit TokenBrowser Web Server
form
Evil Web Server
JavaScript
POST
?
POST
![Page 86: OWASP Khartoum - CSRF Session - Abdullah Ulber - January 2013](https://reader036.vdocuments.mx/reader036/viewer/2022081506/5575c416d8b42a312a8b4c06/html5/thumbnails/86.jpg)
Good and Evil on the Web
Client Server
![Page 87: OWASP Khartoum - CSRF Session - Abdullah Ulber - January 2013](https://reader036.vdocuments.mx/reader036/viewer/2022081506/5575c416d8b42a312a8b4c06/html5/thumbnails/87.jpg)
The Padlock Thief
![Page 88: OWASP Khartoum - CSRF Session - Abdullah Ulber - January 2013](https://reader036.vdocuments.mx/reader036/viewer/2022081506/5575c416d8b42a312a8b4c06/html5/thumbnails/88.jpg)
Protect the Protection
![Page 89: OWASP Khartoum - CSRF Session - Abdullah Ulber - January 2013](https://reader036.vdocuments.mx/reader036/viewer/2022081506/5575c416d8b42a312a8b4c06/html5/thumbnails/89.jpg)
HMAC (Hash-based message authentication code)
Protected token
Session identity
Token
?
![Page 90: OWASP Khartoum - CSRF Session - Abdullah Ulber - January 2013](https://reader036.vdocuments.mx/reader036/viewer/2022081506/5575c416d8b42a312a8b4c06/html5/thumbnails/90.jpg)
Protected Double Submit TokenBrowser Web Server
form
Evil Web Server
JavaScript
POST
?
POST
![Page 91: OWASP Khartoum - CSRF Session - Abdullah Ulber - January 2013](https://reader036.vdocuments.mx/reader036/viewer/2022081506/5575c416d8b42a312a8b4c06/html5/thumbnails/91.jpg)
Pluggable Protection
Web Server
CSRFGuard Library
Apache IIS
Web ApplicationModSecurity CRS Project
Java .NETPHP
![Page 92: OWASP Khartoum - CSRF Session - Abdullah Ulber - January 2013](https://reader036.vdocuments.mx/reader036/viewer/2022081506/5575c416d8b42a312a8b4c06/html5/thumbnails/92.jpg)
Take Your Pick
User Friendliness
Effec
tiven
ess
low
high
highlow
separate browsers sign out
re-authenticate
dual factor auth.
double submit token
cookie expiry
CAPTCHA
browser add-ons
![Page 93: OWASP Khartoum - CSRF Session - Abdullah Ulber - January 2013](https://reader036.vdocuments.mx/reader036/viewer/2022081506/5575c416d8b42a312a8b4c06/html5/thumbnails/93.jpg)
Multiple Protections
double submit token
re-authentication
dual-factor authentication
CAPTCHA
cookie expiry
All !
![Page 94: OWASP Khartoum - CSRF Session - Abdullah Ulber - January 2013](https://reader036.vdocuments.mx/reader036/viewer/2022081506/5575c416d8b42a312a8b4c06/html5/thumbnails/94.jpg)
Take-Aways
CSRF is a clear and present danger.
The bad news
CSRF is on the rise.
There are many protections available.
The good news
Tools are your friends.
Questions?
![Page 95: OWASP Khartoum - CSRF Session - Abdullah Ulber - January 2013](https://reader036.vdocuments.mx/reader036/viewer/2022081506/5575c416d8b42a312a8b4c06/html5/thumbnails/95.jpg)
Planned Upcoming Presentations
Hijacking Bonanza (SSL/TSL, NTLM, JSON)
Web Server Hardening (Apache/IIS)
Secure Development Practices (PHP/ASP.NET)
Application Defense in Depth
HTML5 Content Security Policy - The End of XSS ?