1 / 14

Cross-Site-Request-Forgery

Optimizing Traditional and Advocating New Prevention Methods Mark Jenne Tatiana Alexenko. Cross-Site-Request-Forgery. CSRF Overview. Forces user to send unauthorized requests by interacting with a malicious website. The “sleeping giant” of all cyber security threats.

robbin
Download Presentation

Cross-Site-Request-Forgery

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Optimizing Traditional and Advocating New Prevention Methods Mark Jenne Tatiana Alexenko Cross-Site-Request-Forgery

  2. CSRF Overview • Forces user to send unauthorized requests by interacting with a malicious website. • The “sleeping giant” of all cyber security threats. • Can force someone to transfer money, change status on social networking site, buy stock, or any other action on a vulnerable website an attacker would like to exploit.

  3. CSRF Overview

  4. Original Project Plan • Week 2: Reading and Preparation • Gain a better understanding of csrf attack mechanisms • Weeks 3-4: Perform Simple CSRF Attacks • Develop testbed and exploit generated site • Weeks 5-7: Implement Defense Mechanisms • Referrer-checking, reconfirmation, any others • Weeks 8-9: Final Preparation • Finalize project, conference paper, presentation

  5. Alterations to the Plan • Reconfirmation protection method • Recon value to be based of off the trace path • Trace path would not work since it would just go back to the user's browser. • Would be unable to compare trace path of user and attack since both would lead to same machine. • CCNC Conference • Decided to submit paper to CCNC instead of ACM hotnets. • Social Networking specification – had to find exploits in well-known social networks to present.

  6. Test Bed Application • Stock trading application • Registered users can buy and sell stock based on prices from Yahoo Finance. • Utilizes an AJAX request to retrieve stock information in real time • Does not implement any CSRF protection methods – allowed us to concentrate on CSRF without the presence of XSS.

  7. Test Bed Application

  8. Sample Attack • <iframe src ="http://shiflett.org/csrf.php?csrf=http%3A%2F%2Fcsrf.missouri.edu%2Fmake_trade.php&stockSymbol=GOOG&numShares=500&buyOrsell=buy" /> • This attack uses Chris Shiflett’s CSRF Redirector. The CSRF Redirector creates a form with all the necessary inputs that submits to the target application on the vulnerable website.

  9. Discovered Vulnerabilities • Hi5.com—Yahoo’s Social Networking Website • Change Profile Skin • Change Status • Add Applications • Sharebuilder.com—ING’s Online Stock Brokerage • Buy/Sell shares of stock • Requires 2 requests for attack

  10. Referer Privacy Guard • Firefox extension that disorders browsing history • Will encourage more users to send Referer Headers • Sends “garbage” requests to random URLs from user’s browsing history • http://sourceforge.net/projects/refererprivacyg/ • Our extension is on SourceForge available for download • SVN repository for developers set up

  11. CSRF Signature Detection • Preview page content in sandboxed manner • Don’t allow any state-changing requests until content is checked • Find deep links and compare to URL in address bar • Allow users to whitelist domain pairs • Preview linked content—images, iframes • Block forms with only “hidden” inputs • Block self-submitting forms unless user approves

  12. Conclusions • CSRF can be prevented • User: • Log out and clear cookies often • Developer • Make sure website not vulnerable to XSS • Use form tokens and use them wisely • Check Referer header • Lenient for now • Possibly strict when privacy issue resolved

  13. Conclusions • CSRF can be detected • While application specific, certain features are similar • Limited number of tags and Javascript functions that can be used to implement and disguise attack • Hidden and self-submitting forms have little practical use • Whitelisting of trusted sites for user convenience

  14. Questions

More Related