Web Security Course: EPL 682 Name: Savvas Savva [1] A. Barth and C. Jackson and J. Mitchell , “Robust Defenses for Cross-Site Request Forgery”, pub. in 15th ACM Conference, 2008. [2] L. Huang and A. Moshchuk and H. Wang , “Clickjacking: Attacks and Defenses”, pub. in USENIX Security Symposium, 2012.
57
Embed
Web Security - UCY · Defining clickjacking The user is tricked to click on something he didn’t intend to click on. Existing defenses are insufficient This is proven in this paper
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Web SecurityCourse: EPL 682
Name: Savvas Savva
[1] A. Barth and C. Jackson and J. Mitchell , “Robust Defenses for Cross-Site Request Forgery”, pub. in 15th ACM Conference, 2008.[2] L. Huang and A. Moshchuk and H. Wang , “Clickjacking: Attacks and Defenses”, pub. in USENIX Security Symposium, 2012.
Robust Defenses for Cross-Site Request Forgery
Course: EPL 682Name: Savvas Savva
This presentation is based on:[1] A. Barth and C. Jackson and J. Mitchell , “Robust Defenses for Cross-Site Request Forgery”, pub. in 15th ACM Conference, 2008.
CSRF AttackCSRF = Cross-Site Request Forgery:
● The victim's browser, instructed by a malicious “site”, sent a request to an
honest site.
● This attack: ○ Leveraging Network Connectivity.
○ Leveraging Browser state.
○ Disrupts integrity of the victim session with a honest site.
○ In login CSRF attack, an attacker uses the victim’s browser to forge a cross-site
request to the honest site’s login URL, supplying the attacker’s username and
password.
Contribution / Contents● Paper Contribution about the topic:
○ A good explanation of the CSRF threat model.
○ A study of current browser behavior.
○ A proposal for an Origin header containing the information necessary for CSRF defense.
○ A study of related session initialization vulnerabilities.
CSRF Definition● Network Connectivity.
● Read Browser State.
● Write Browser State.
● In-Scope Threats○ Forum Poster.
○ Web Attacker.
○ Network Attacker.
Attack A: Login CSRF Attack
Another CSRF Attack Detailed
Defending Techniques● Using a secret request Token:
○ Validating using this secret token.
○ Fraught with pitfalls.
○ A Popular technique.
● Validating the HTTP Referer Header○ Simple technique.
○ Referer header can be suppressed.
● Validating Custom Headers attached to XMLHttpRequests○ Ajax interface.
○ Requires sites to valid all state-modifying requests.
Experiment Design ● Build Advertising networks and make it available from 5 April 2008 to 8
April 2008.
● 283945 advertisement impressions from 163767 unique IP address.
● GET and POST requests both over HTTP and HTTPS.
● Requests are generated by submitting forms, requesting images, and
issuing XMLHttpRequests.
● Same-domain requests to the primary server and cross-domain requests
to the secondary server.
● Log Referer header, User-Agent header, date, client’s class C network,
session identifier, document.referer .
● Did not log the client’s IP address, instead logged the HMAC of client’s IP
What exactly is Origin header ● Improves and unifies previous proposals:
○ Cross-Site XMLHttpRequest: The proposed standard for cross-site XMLHttpRequest
included a Access-Control-Origin header to identify the origin issuing the request.
○ XDomainRequest: The XDomainRequest API in Internet Explorer 8 Beta 1 sends cross-site
HTTP requests that omit the path and query from the Referer header.
What exactly is Origin header ● Improves and unifies previous proposals:
○ JSONRequest: The JSONRequest API for crosssite HTTP requests included a Domain
header that identifies the host name of the requester.
○ Cross-Document Messaging: The HTML 5 specification proposes a new browser API for
authenticated client-side communication between HTML documents
To clear misleading
● Http Referer Header not equal to the proposed Origin Header.
● The Origin header is became HTML5 feature.
Malicious XMLHttpRequest
Session Initialization● Authenticated as User
○ Predictable session identifier
● Authenticated as Attacker○ Login CSRF
● Two common approaches to mounting an attack on session initialization○ HTTP Requests and Cookie Overwriting
HTTP Requests● OpenID:
1. Web attacker visits the Relying Party (Blogger) and beings the
authentication process with the Identity Provider (Yahoo!)
2. Identity Provider redirects the attacker’s browser to the “return to”
URL of the Relying Party
3. Attacker directs the user’s browser to the return to URL
4. The Relying Party completes the OpenID protocol and stores a
session cookie in the user’s browser
5. The user is now logged in as the attacker
HTTP Requests● PHP Cookieless Authentication:
1. The web attacker logs into the honest web site.
2. The web attacker redirects the user’s browser to the URL currently
displayed in the attacker’s location bar.
3. Because this URL contains the attacker’s session identifier, the user is
now logged in as the attacker.
Cookie Overwriting● An active network attacker can supply a Set-Cookie header over a HTTP
connection to the same host name as the site and install either a Secure
or a non-Secure cookie of the same name
● Defense cannot be deployed “without breaking standards and existing
web apps”
● Cookie-Integrity header
Related Work● RequestRodeo
○ Strips implicit authorization information from outgoing cross-site HTTP requests
○ Breaks existing web site functionality
● CAPTCHA○ Attacker can manually solve CAPTCHAs
○ Attacker can address captchas to be solved online from captcha solvers.
Conclusions● Login CSRF
○ Strict Referer validation
● Third-party Content○ Images, hyperlinks should use a framework that implements secret token validation
correctly
● Origin header○ Eliminating the privacy concerns
○ HTTPS and non-HTTPS requests both work
Thanks For Watching!Any Questions?
Clickjacking: Attacks and Defenses
Course: EPL 682Name: Savvas Savva
This presentation is based on: [2] L. Huang and A. Moshchuk and H. Wang , “Clickjacking: Attacks and Defenses”, pub. in USENIX Security Symposium, 2012.
Introduction● Defining clickjacking
○ The user is tricked to click on something he didn’t intend to click on.
● Existing defenses are insufficient○ This is proven in this paper with three new attack variants from existing clickjacking
techniques.
○ Clickjacking attacks can cause severe damages.
○ Better results and more effective than Social engineering.
● New defense to address root causes○ The paper user study demonstrates its effectiveness.
What is Clickjacking ?Simple definition:
The user is tricked to click on something he didn’t intend to click on.
An attacker application presents a sensitive UI Element of a target application
out of context to a user (e.g. hiding sensitive UI ELement by make it
Temporal integrity , for some noticeable amount of time transform to facebook page like button
C
B
A
Cursorjacking is not Performed. Could be done Using CSS cursor property. Also, can perform strokejacking attack for fake blink in keyboard typing cursor and fake text input. The same appears in twitter tweet button to create the TweetBomb attack. Video link : https://www.youtube.com/watch?v=zbbYBKDUPDU,