bypassing csrf protections
play

Bypassing CSRF Protections A Double Defeat of the Double-Submit - PowerPoint PPT Presentation

Dec 18, 2023 •564 likes •821 views

Bypassing CSRF Protections A Double Defeat of the Double-Submit Cookie Pattern About Me David Johansson (@securitybits) Security consultant since 2007 Helping clients design and build secure software Security training Based in

  1. Bypassing CSRF Protections A Double Defeat of the Double-Submit Cookie Pattern

  2. About Me • David Johansson (@securitybits) – Security consultant since 2007 – Helping clients design and build secure software – Security training – Based in London since 3 years, working for Cigital (now part of Synopsys)

  3. CSRF Protection DOUBLE-SUBMIT COOKIE PATTERN

  4. Cross-site Request Forgery • Attacker sends payload via victim’s browser • Browser automatically includes user’s identity

  5. Double-submit Cookie Pattern • Simple CSRF protection – no server-side state

  6. False Assumptions? Cookies are different! Not really true…

  7. Cookie Fixation • What if attacker can set the CSRF cookie..? • Cookie fixation can be done through: – Exploiting subdomains – Man-in-the-middle HTTP connections

  8. Double-submit Defeat #1: EXPLOITING SUBDOMAINS

  9. Malicious Subdomain • Attacker controls https://evil.example.com/ • Subdomain sets cookie for parent domain • Includes specific path

  10. Malicious Subdomain • Attacker now controls cookies sent to https://www.example.com/submit • Attacker’s CSRF cookie sent first due to longer path

  11. Vulnerable Subdomain • Controlling all subdomains doesn’t mean you’re safe • XSS in any subdomain can be exploited: <script>document.cookie = “_ csrf=a; Path=/submit; domain=example.com”;</script> • So you’re using CSP? – Cookies can still be set through meta-tags ☺ <meta http-equiv="set-cookie" content="_csrf=a; Path=/submit; domain=example.com">

  12. Double-submit Defeat #2: MAN-IN-THE-MIDDLE ATTACKS

  13. Man-in-the-Middle Attacks • HTTP origins can set cookies for HTTPS origins • Even ‘secure’ cookies can be overwritten from HTTP responses* • Attacker who MiTM any HTTP connection from victim can: – Overwrite CSRF cookie – Pre-empt CSRF cookie *The new ‘Strict Secure Cookie’ specification will prevent this (https://www.chromestatus.com/feature/4506322921848832)

  14. Overwrite CSRF Cookie

  15. Pre-empt CSRF Cookie

  16. Bypassing CSRF Protection • After fixating CSRF cookie, attacker can create successful CSRF payload

  17. Mitigations • Additional defenses to strengthen double- submit cookie pattern: – HTTP Strict Transport Security (HSTS) – Cookie Prefixes (“__Host - ” is the one you want) – Sign cookie – Bind cookie to user – Use custom HTTP header to send request token

  18. This is not the token you’re looking for… ANGULAR & CSURF

  19. AngularJS CSRF Protection • AngularJS $http service has built-in support to help prevent CSRF* • Reads token from cookie (XSRF-TOKEN) and sets custom HTTP header (X-XSRF-TOKEN) • Server needs to implement token validation • Can be used as double-submit cookie pattern if server compares cookie value with HTTP header *https://blogs.synopsys.com/software-integrity/2017/02/24/angularjs-security-http-service/

  20. AngularJS & csurf

  21. Default Value Function Body and query parameters checked first!

  22. Exploit Default Value Function = CSRF Defense Bypassed

  23. Specify Custom Value Function

  24. Summary • Double-submit Cookie Pattern based on partially incorrect assumptions • Integrity protection of cookies is very weak • Attackers can often force cookies upon other users • Be careful which token you validate against • Additional mitigations often required to strengthen the defense

  25. Thank You! Questions? @securitybits

Recommend

Bypassing Memory Protections: The Future of Exploitation Alexander Sotirov alex@sotirov.net

Bypassing Memory Protections: The Future of Exploitation Alexander Sotirov alex@sotirov.net

Bypassing Memory Protections: The Future of Exploitation Alexander Sotirov alex@sotirov.net About me Exploit development since 1999 Research into reliable exploitation techniques: Heap Feng Shui in JavaScript Bypassing browser

1.1k views • 48 slides
Bypassing Combinatorial Protections Polynomial-Time Algorithms for Single-Peaked Electorates

Bypassing Combinatorial Protections Polynomial-Time Algorithms for Single-Peaked Electorates

Bypassing Combinatorial Protections Polynomial-Time Algorithms for Single-Peaked Electorates Markus Brill COMSOC 2010 Dsseldorf Joint work with Felix Brandt, Edith Hemaspaandra, and Lane Hemaspaandra Voting Rules C = {a,b,c,...} is a

660 views • 11 slides
ROP A&amp;ack BYPASSING MEMORY PROTECTIONS USING RETURN ORIENTED PROGRAMMING

ROP A&amp;ack BYPASSING MEMORY PROTECTIONS USING RETURN ORIENTED PROGRAMMING

ROP A&amp;ack BYPASSING MEMORY PROTECTIONS USING RETURN ORIENTED PROGRAMMING PRESENTED BY AHMAD MOGHIMI What is ROP A&amp;ack? q Return Oriented Programming a0ack is a technic to

656 views • 46 slides
A8: Cross-site Request Forgery (CSRF) A8: Cross-site Request Forgery (CSRF) XSS Trick

A8: Cross-site Request Forgery (CSRF) A8: Cross-site Request Forgery (CSRF) XSS Trick

A8: Cross-site Request Forgery (CSRF) A8: Cross-site Request Forgery (CSRF) XSS Trick browser to execute code without user knowledge CSRF Trick browser to access sensitive pages without user knowledge CSRF Vulnerability Pattern

284 views • 11 slides
RTU protections - news Ostrava 2015 Energetics RTU protections RTU RTUs for control,

RTU protections - news Ostrava 2015 Energetics RTU protections RTU RTUs for control,

www.elvac.eu Marian Kuruc RTU protections - news Ostrava 2015 Energetics RTU protections RTU RTUs for control, protection, data acquisition and communication Content Redesigned block of protections Global setting of measurement ranges

409 views • 10 slides
Exceeding Domestic Standards: The gap between treaty protections and protections under US law

Exceeding Domestic Standards: The gap between treaty protections and protections under US law

Exceeding Domestic Standards: The gap between treaty protections and protections under US law Lise Johnson ljj2107@columbia.edu T-TIP Stakeholder Briefing May 21, 2014 US Law: When will a court find that the government has given an

236 views • 4 slides
Table of Contents Berner Fachhochschule, Technik und Informatik Cross Site Request Forgery - CSRF

Table of Contents Berner Fachhochschule, Technik und Informatik Cross Site Request Forgery - CSRF

Table of Contents Berner Fachhochschule, Technik und Informatik Cross Site Request Forgery - CSRF Presentation Vulnerability Advanced Web Technology CSRF allows to access the intranet Protection 10) XSS, CSRF and SQL Injection

559 views • 10 slides
CSRF 101 Aaron Bishop | CISSP | OSCP Principal Penetration Tester - SecurityMetrics Cross-Site

CSRF 101 Aaron Bishop | CISSP | OSCP Principal Penetration Tester - SecurityMetrics Cross-Site

CSRF 101 Aaron Bishop | CISSP | OSCP Principal Penetration Tester - SecurityMetrics Cross-Site Request Forgery Definition Example OWASP: Login: csrf.vulnerable.page Cross-Site Request Forgery Set-Cookie:session=1a2b3c; (CSRF) is an attack

721 views • 14 slides
CLICK HERE.exe XSS &amp; CSRF Security Meetup Month 2 of 12 (February) Last month: SQL

CLICK HERE.exe XSS &amp; CSRF Security Meetup Month 2 of 12 (February) Last month: SQL

CLICK HERE.exe XSS &amp; CSRF Security Meetup Month 2 of 12 (February) Last month: SQL Injections This month: XSS / CSRF Next month: DDoS / DoS Meetup Group for times/dates https://www.meetup.com/CLICK_HERE-exe/ Plan of Attack

1.76k views • 58 slides
More attacks on Clients: Clickjacking/UI redressing, CSRF (Section 7.2.3 on Clickjacking;

More attacks on Clients: Clickjacking/UI redressing, CSRF (Section 7.2.3 on Clickjacking;

Software and Web Security 2 More attacks on Clients: Clickjacking/UI redressing, CSRF (Section 7.2.3 on Clickjacking; Section 7 2 7 on CSRF) Section 7.2.7 on CSRF) sws2 1 2 Clickjacking &amp; UI redressing sws2 Click jacking &amp; UI

409 views • 29 slides
Agenda Who Are We? Intro To Secure Desktop What is it? What does it work?

Agenda Who Are We? Intro To Secure Desktop What is it? What does it work?

Bypassing Secure Desktops Protections Bruno Oliveira &amp; Mrcio Almeida Agenda Who Are We? Intro To Secure Desktop What is it? What does it work? Windows API Our PoC Mitigation Conclusions Who are we?

601 views • 23 slides
XSS &amp; CSRF Alex Infhr Whoami Alex Infhr @insertscript Cure53 MS IE Team

XSS &amp; CSRF Alex Infhr Whoami Alex Infhr @insertscript Cure53 MS IE Team

XSS &amp; CSRF Alex Infhr Whoami Alex Infhr @insertscript Cure53 MS IE Team Browser PDF / file formats B Shark movies Topics of today XSS Cross Site Scripting XSRF/CSRF Cross Site Request Forgery

893 views • 56 slides
Cross-Site Request Forgeries (CSRF) &amp; Path Traversal Professor Larry Heimann Web Application

Cross-Site Request Forgeries (CSRF) &amp; Path Traversal Professor Larry Heimann Web Application

Cross-Site Request Forgeries (CSRF) &amp; Path Traversal Professor Larry Heimann Web Application Security Information Systems A different and trickier threat - CSRF Often referred to as sleeping giant of vulnerabilities because

440 views • 16 slides
1 2 3 4 5 F I N A N C I A L P R O T E C T I O N S S E R V I C E FINANCIAL PROTECTIONS

1 2 3 4 5 F I N A N C I A L P R O T E C T I O N S S E R V I C E FINANCIAL PROTECTIONS

INTRODUCTORY GUIDE 1 2 3 4 5 F I N A N C I A L P R O T E C T I O N S S E R V I C E FINANCIAL PROTECTIONS SERVICE B A C K G R O U N D The Financial Protections Service was instigated following a recommendation of the Inquiry into the

184 views • 17 slides
Advanced Web Technology 10) XSS, CSRF and SQL Injection Dr. E. Benoist Fall Semester 2010/2011

Advanced Web Technology 10) XSS, CSRF and SQL Injection Dr. E. Benoist Fall Semester 2010/2011

Berner Fachhochschule, Technik und Informatik Advanced Web Technology 10) XSS, CSRF and SQL Injection Dr. E. Benoist Fall Semester 2010/2011 Advanced Web Technology 10) XSS, CSRF and SQL Injection 1 Table of Contents Cross Site Request

659 views • 39 slides
Bypassing Web Application Firewalls an approach for pentesters KHALIL BIJJOU SECURITY

Bypassing Web Application Firewalls an approach for pentesters KHALIL BIJJOU SECURITY

Bypassing Web Application Firewalls an approach for pentesters KHALIL BIJJOU SECURITY CONSULTANT 17 th November 2017 BYPASSING A WAF WHY? Number of deployed Web Application Firewalls (WAFs) is increasing WAFs make a penetration

533 views • 34 slides
Bypassing the hubs - The potential of secondary European airports in the long haul sector Sven

Bypassing the hubs - The potential of secondary European airports in the long haul sector Sven

Bypassing the hubs - The potential of secondary European airports in the long haul sector Sven Maertens / DLR 7th Conference on Applied Infrastructure Research, OCT 10-11, 2008 Sven Maertens DLR Bypassing the hubs Page 1 Structure

559 views • 22 slides
Bypassing 802.1X In an IPv6 environment Introduction and motivation What is 802.1X? IEEE

Bypassing 802.1X In an IPv6 environment Introduction and motivation What is 802.1X? IEEE

Robert Diepeveen &amp; Ruben de Vries Bypassing 802.1X In an IPv6 environment Introduction and motivation What is 802.1X? IEEE standard Port-based network access protocol Authentication mechanism for devices wishing to attach to

357 views • 17 slides
CLICK HERE.exe SQL Injections Security Meetup Month 1 of 12 (January) This month: SQL

CLICK HERE.exe SQL Injections Security Meetup Month 1 of 12 (January) This month: SQL

CLICK HERE.exe SQL Injections Security Meetup Month 1 of 12 (January) This month: SQL Injections Next month: XSS / CSRF Meetup Group for times/dates Plan of Attack History of SQL Basic Injections Protections

890 views • 58 slides
This time Continuing with Web Security Cookies XSS &amp; CSRF Required reading for this

This time Continuing with Web Security Cookies XSS &amp; CSRF Required reading for this

This time Continuing with Web Security Cookies XSS &amp; CSRF Required reading for this lecture: Web Security: Are You Part Of The Problem? Cross Site Request Forgery: An Introduction HTTP GET requests Contain headers.

1.77k views • 148 slides
Bypassing Microsoft JEA role capabilities for fun &amp; profit whoami Cristhian Parrot -

Bypassing Microsoft JEA role capabilities for fun &amp; profit whoami Cristhian Parrot -

Bypassing Microsoft JEA role capabilities for fun &amp; profit whoami Cristhian Parrot - @elc0rr3Km1n0s Sr. Penetration Tester &amp; Lead Auditor @Airbus Father, Bug Hunter, Tech-entrepreneur Plan Intro Install Prerequisites

376 views • 22 slides
Breaking Through Another Side Bypassing Firmware Security Boundaries from Embedded Controller

Breaking Through Another Side Bypassing Firmware Security Boundaries from Embedded Controller

Breaking Through Another Side Bypassing Firmware Security Boundaries from Embedded Controller Alex Matrosov Alexandre Gazet Actually 5 months of passionate reverse-engineering nights Disclaimer All the details given about BIOS Guard

968 views • 77 slides
Know Your Rights: COVID-19 Tenant Protections Bet Tzedek Legal Services May 28, 2020 Rent

Know Your Rights: COVID-19 Tenant Protections Bet Tzedek Legal Services May 28, 2020 Rent

Know Your Rights: COVID-19 Tenant Protections Bet Tzedek Legal Services May 28, 2020 Rent Deferral and Eviction Protections Applies to tenants unable to pay rent due to COVID-19, including: Loss of income due to workplace closure

616 views • 15 slides
Security Psychology Topics Weve Covered Ethics XSS CSRF SQL injection

Security Psychology Topics Weve Covered Ethics XSS CSRF SQL injection

Security Psychology Topics Weve Covered Ethics XSS CSRF SQL injection Passwords Command injection Scanning Malware Most of these attacks are enabled by social engineering. Todays Class Pretexting

516 views • 26 slides

More recommend