deemon detecting csrf with dynamic
play

Deemon: Detecting CSRF with Dynamic Analysis and Property Graphs G. - PowerPoint PPT Presentation

Sep 05, 2022 •808 likes •980 views

Deemon: Detecting CSRF with Dynamic Analysis and Property Graphs G. Pellegrino , M. Johns, S. Koch, M. Backes, C. Rossow gpellegrino@cispa.saarland ACM CCS 2017 Nov 2 nd , Dallas, USA U WONT BELIEVE WHAT DIS CAT IS DOIN !!!1! <img

  1. Deemon: Detecting CSRF with Dynamic Analysis and Property Graphs G. Pellegrino , M. Johns, S. Koch, M. Backes, C. Rossow gpellegrino@cispa.saarland ACM CCS 2017 Nov 2 nd , Dallas, USA

  2. U WON’T BELIEVE WHAT DIS CAT IS DOIN’ !!!1! <img src="http://store.com/change_pwd.php?password=pwnd" width="0px" height="0px"/> TWEET SHARE PIN SEND EMAIL 2 Giancarlo Pellegrino, gpellegrino@cispa.saarland 11/02/2017

  3. Cross-Site Request Forgery Attack Look at this cat video! If credentials are valid, POST /login.php […] user= Alice&pwd=secret create and send a 200 OK session cookies Set-cookie: session=YBLqp32F GET /video.html + If cookie is valid, then GET /change_pwd.php?password=pwnd update password Cookie: session=YBLqp32F 3 Giancarlo Pellegrino, gpellegrino@cispa.saarland 11/02/2017

  4. The Forgotten Sleeping Giant • Popular vulnerability • Among top 10 security risks w/ XSS and SQLi [Top10_OWASP_2007-2013] • Discovered in popular websites, e.g., Gmail, Netflix, and ING • Most of previous efforts spent on countermeasures: • Origin header, synchronizer tokens, and browser plugins • A little has been done to provide techniques for the detection • Existing (semi-)automated techniques focus on input validation and logic flaws → Detection of CSRF via manual inspection 4 Giancarlo Pellegrino, gpellegrino@cispa.saarland 11/02/2017

  5. Challenges • Detection requires reasoning over relationships between application states, the roles and status of request parameters • Challenges: 1) CSRF targets state transitions 2) Attacker reliably create requests incl. parameters and values 3) Not all state transitions are relevant 5 Giancarlo Pellegrino, gpellegrino@cispa.saarland 11/02/2017

  6. 1) CSRF Targets State Transitions GET /user_data.php Show user data Cookie: session=YBLqp32F GET /change_pwd.php?password=new_secret Cookie: session=YBLqp32F Fire a state Update password transition UPDATE users SET pwd=new_secret […] • Determine when a state transition occurs • Not all operations change the state of a webapp SELECT * • E.g., View user data vs reset user password FROM users […] • Learning state transitions is possible • However, existing approach can be inaccurate or operation-specific 6 Giancarlo Pellegrino, gpellegrino@cispa.saarland 11/02/2017

  7. 2) Attacker Reliably Creates Requests incl. Params GET /place_order.php?token=XZR4t6q Cookie: session=YBLqp32F • Determine relationships between parameters and transitions • E.g., random security token may not be guessed by an attacker • Existing techniques do not determine such a relationship • E.g., Web scanners match param names against list of predefined names (e.g., “token”) 7 Giancarlo Pellegrino, gpellegrino@cispa.saarland 11/02/2017

  8. 3) Not all State Transitions are Relevant 1) PageCounter++ GET /product.php?id=201 2) Return product Cookie: session=YBLqp32F Fire a state description transition 200 OK UPDATE pages SET cnt = cnt + 1 WHERE id=201 • Determine the relevance of a state transition • State transitions can be the result of operations such as tracing user activities • They are state-changing operations but not necessarily security-relevant • Easy for humans but hard for machines 8 Giancarlo Pellegrino, gpellegrino@cispa.saarland 11/02/2017

  9. Our Solution: Deemon • Application-agnostic framework for developers and analysts 1. Infer state transitions + data flow from program executions 2. Property graphs for uniform and reusable model representation 3. Graph traversals to select request candidates for testing 4. Verify replay-ability of HTTP requests 9 Giancarlo Pellegrino, gpellegrino@cispa.saarland 11/02/2017

  10. Deemon: Trace Generation Dynamic Trace Generation A F < , , , , > GET < GET , 200 , GET , 302 > 200 OK A F < , , , , > Login and change password < , > Virtualized Env. 10 Giancarlo Pellegrino, gpellegrino@cispa.saarland 11/02/2017

  11. Deemon: Model Construction Traces and Parse Trees FSM Data flow and types next next trans to A < , , , , > F A q 0 →q 1 q 0 q 1 caused caused v 1 = YBLqp32F next next next has Types: String, Session < GET , 200 , GET , 302 > unique GET 200 GET 302 GET / hdrs caused propag. accepts YBLqp32F … next SQL SQL < , > source v 2 = YBLqp32F Types: String, Session UPDATE tbl claus unique id=YBLqp … sink 11 Giancarlo Pellegrino, gpellegrino@cispa.saarland 11/02/2017

  12. Deemon: Traversals r GET hdrs url “Find all CSRF” ⇓ password pwd “Find all req equests ts r such that: request(r) 1) r is state-changin ing 2) r can be created by an attacker r 3) the state change is rele elevant ” accept ⇓ trans to “∀n: request(n) q i →q f q i q f 1) ∃ tr, q i , q f : trans(tr, q i , q f ) ∧ accepts( tr, n) ∃ tr, q i , q f : trans(tr, q i , q f ) ∧ accepts(tr, r) 2) ∀ v: variable(v) ∧ has( q f , v) has ∧ v.Types ⋂ {“ unguessable ”} = ∅ v 1 = pwd q f 3) relevant(r)” Types: String ⇓ ∀ v: variable(v) ∧ has(q f , v) ∧ v.Types ⋂ {“ unguessable ”} = ∅ [Query processor] 12 Giancarlo Pellegrino, gpellegrino@cispa.saarland 11/02/2017

  13. Deemon: Testing Test Execution Graph Traversals < , , , , > Requests GET 200 OK < , , , , > Queries ? Virtualized Env. Failed Successful 13 Giancarlo Pellegrino, gpellegrino@cispa.saarland 11/02/2017

  14. Evaluation • Inputs: • 10 Web apps from the Bitnami catalog (avg 600k LoC ) • 93 workflows (e.g., change password, username, add/delete user/admin, enable/disable plugin) 53 protected (108 tokens) 1,022 not relevant 194 not st-ch • 1,380 requests 1,186 st-ch 164 relevant 111 unprotected 190 failed • 219 tests 29 succ. 14 distinct CSRFs • Attacks: • User account takeover in AbanteCart and OpenCart • Database corruption in Mautic • Web app takeover in Simple Invoices Giancarlo Pellegrino, gpellegrino@cispa.saarland 11/02/2017 14

  15. Results Analysis: Awareness 1. Complete Awareness : all state-changing operations are protected • E.g., Horde, Oxid, and Prestashop 2. Unawareness : none of the relevant state-changing operations are protected • I.e., Simple Invoices 3. Partial Awareness • Role-based : only admin is protected • I.e., OpenCart and AbanteCart • Operation-based : adding data items is protected, deleting is not • I.e., Mautic 15 Giancarlo Pellegrino, gpellegrino@cispa.saarland 11/02/2017

  16. Takeaways • Presented Deemon: • Dynamic analysis + property graphs • New modeling paradigm • Deemon detected 14 CSRFs that can be exploited to takeover accounts, websites, and compromise database integrity • Discovered alarming behaviors: security-sensitive operations are protected in a selective manner 16 Giancarlo Pellegrino, gpellegrino@cispa.saarland 11/02/2017

Recommend

A8: Cross-site Request Forgery (CSRF) A8: Cross-site Request Forgery (CSRF) XSS Trick

A8: Cross-site Request Forgery (CSRF) A8: Cross-site Request Forgery (CSRF) XSS Trick

A8: Cross-site Request Forgery (CSRF) A8: Cross-site Request Forgery (CSRF) XSS Trick browser to execute code without user knowledge CSRF Trick browser to access sensitive pages without user knowledge CSRF Vulnerability Pattern

284 views • 11 slides
Detecting Topological Changes in Dynamic Delaunay Triangulations Using CUDA GTC 2017 Speaker: Dr.

Detecting Topological Changes in Dynamic Delaunay Triangulations Using CUDA GTC 2017 Speaker: Dr.

Detecting Topological Changes in Dynamic Delaunay Triangulations Using CUDA GTC 2017 Speaker: Dr. Matteo Lulli Prof. M. Bernaschi and Prof. M. Sbragaglia May the 10th, 2017 Comput. Phys. Commun. 213 , 19 (2017) Detecting Topological Changes in

1.09k views • 67 slides
Table of Contents Berner Fachhochschule, Technik und Informatik Cross Site Request Forgery - CSRF

Table of Contents Berner Fachhochschule, Technik und Informatik Cross Site Request Forgery - CSRF

Table of Contents Berner Fachhochschule, Technik und Informatik Cross Site Request Forgery - CSRF Presentation Vulnerability Advanced Web Technology CSRF allows to access the intranet Protection 10) XSS, CSRF and SQL Injection

559 views • 10 slides
Detecting Clusters and Nonlinearity in 3D Dynamic Graphs John Fox McMaster University Robert

Detecting Clusters and Nonlinearity in 3D Dynamic Graphs John Fox McMaster University Robert

Detecting Clusters and Nonlinearity in 3D Dynamic Graphs John Fox McMaster University Robert Stine University of Pennsylvania Georges Monette and Nehru Vohra York University Interface 2002 Clusters and Nonlinearity in 3D Dynamic Graphs 1

575 views • 10 slides
CSRF 101 Aaron Bishop | CISSP | OSCP Principal Penetration Tester - SecurityMetrics Cross-Site

CSRF 101 Aaron Bishop | CISSP | OSCP Principal Penetration Tester - SecurityMetrics Cross-Site

CSRF 101 Aaron Bishop | CISSP | OSCP Principal Penetration Tester - SecurityMetrics Cross-Site Request Forgery Definition Example OWASP: Login: csrf.vulnerable.page Cross-Site Request Forgery Set-Cookie:session=1a2b3c; (CSRF) is an attack

721 views • 14 slides
12/6/2013 Detecting Fakes Image Forensics: Detecting Forged Photos 1.Detecting photorealistic

12/6/2013 Detecting Fakes Image Forensics: Detecting Forged Photos 1.Detecting photorealistic

12/6/2013 Detecting Fakes Image Forensics: Detecting Forged Photos 1.Detecting photorealistic graphics 2.Detecting manipulated images Photo manipulation is the application of image editing techniques to photographs in order to create an

306 views • 13 slides
CLICK HERE.exe XSS &amp; CSRF Security Meetup Month 2 of 12 (February) Last month: SQL

CLICK HERE.exe XSS &amp; CSRF Security Meetup Month 2 of 12 (February) Last month: SQL

CLICK HERE.exe XSS &amp; CSRF Security Meetup Month 2 of 12 (February) Last month: SQL Injections This month: XSS / CSRF Next month: DDoS / DoS Meetup Group for times/dates https://www.meetup.com/CLICK_HERE-exe/ Plan of Attack

1.76k views • 58 slides
More attacks on Clients: Clickjacking/UI redressing, CSRF (Section 7.2.3 on Clickjacking;

More attacks on Clients: Clickjacking/UI redressing, CSRF (Section 7.2.3 on Clickjacking;

Software and Web Security 2 More attacks on Clients: Clickjacking/UI redressing, CSRF (Section 7.2.3 on Clickjacking; Section 7 2 7 on CSRF) Section 7.2.7 on CSRF) sws2 1 2 Clickjacking &amp; UI redressing sws2 Click jacking &amp; UI

409 views • 29 slides
DETECTING LOCALIZED ROUGHNESS USING DYNAMIC SEGMENTATION By Amin El Gendy &amp; Ahmed Shalaby

DETECTING LOCALIZED ROUGHNESS USING DYNAMIC SEGMENTATION By Amin El Gendy &amp; Ahmed Shalaby

DETECTING LOCALIZED ROUGHNESS USING DYNAMIC SEGMENTATION By Amin El Gendy &amp; Ahmed Shalaby Department of Civil Engineering University of Manitoba The C-LTPP project The C-LTPP Project includes 24 test sites constructed between 1989 and

201 views • 17 slides
XSS &amp; CSRF Alex Infhr Whoami Alex Infhr @insertscript Cure53 MS IE Team

XSS &amp; CSRF Alex Infhr Whoami Alex Infhr @insertscript Cure53 MS IE Team

XSS &amp; CSRF Alex Infhr Whoami Alex Infhr @insertscript Cure53 MS IE Team Browser PDF / file formats B Shark movies Topics of today XSS Cross Site Scripting XSRF/CSRF Cross Site Request Forgery

893 views • 56 slides
Cross-Site Request Forgeries (CSRF) &amp; Path Traversal Professor Larry Heimann Web Application

Cross-Site Request Forgeries (CSRF) &amp; Path Traversal Professor Larry Heimann Web Application

Cross-Site Request Forgeries (CSRF) &amp; Path Traversal Professor Larry Heimann Web Application Security Information Systems A different and trickier threat - CSRF Often referred to as sleeping giant of vulnerabilities because

440 views • 16 slides
Advanced Web Technology 10) XSS, CSRF and SQL Injection Dr. E. Benoist Fall Semester 2010/2011

Advanced Web Technology 10) XSS, CSRF and SQL Injection Dr. E. Benoist Fall Semester 2010/2011

Berner Fachhochschule, Technik und Informatik Advanced Web Technology 10) XSS, CSRF and SQL Injection Dr. E. Benoist Fall Semester 2010/2011 Advanced Web Technology 10) XSS, CSRF and SQL Injection 1 Table of Contents Cross Site Request

659 views • 39 slides
Detecting Chang Detecting Changes in W s in Water ter Qua Q ualit lity i lit lit i in L

Detecting Chang Detecting Changes in W s in Water ter Qua Q ualit lity i lit lit i in L

Detecting Chang Detecting Changes in W s in Water ter Qua Q ualit lity i lit lit i in L i L L Long ong I I Islan I l and S d S d S d Soun ound d with with NERACOOS Buoy y Observations James ODonnell, Todd Fake, Kay

815 views • 26 slides
Detecting Data Races in Multi-Threaded Programs Eraser A Dynamic Data-Race Detector for

Detecting Data Races in Multi-Threaded Programs Eraser A Dynamic Data-Race Detector for

Detecting Data Races in Multi-Threaded Programs Eraser A Dynamic Data-Race Detector for Multi-Threaded Programs MultiRace An Efficient On-the-Fly Data-Race Detection Tool for Multi-Threaded C++ Programs John C. Linford Slide 1 / 31 Key

606 views • 31 slides
Detecting Cracks under Bushings Detecting Cracks under Bushings in Aircraft Structures in

Detecting Cracks under Bushings Detecting Cracks under Bushings in Aircraft Structures in

Inno Innovative Materials tive Materials Air Force Research Center for Nondestructive Testin Testing T Tech chnologies, es, I Inc. c. Laboratory Evaluation Detecting Cracks under Bushings Detecting Cracks under Bushings in Aircraft

308 views • 12 slides
This time Continuing with Web Security Cookies XSS &amp; CSRF Required reading for this

This time Continuing with Web Security Cookies XSS &amp; CSRF Required reading for this

This time Continuing with Web Security Cookies XSS &amp; CSRF Required reading for this lecture: Web Security: Are You Part Of The Problem? Cross Site Request Forgery: An Introduction HTTP GET requests Contain headers.

1.77k views • 148 slides
Detecting changes in Detecting changes in the rate the rate of a of a Poisson process

Detecting changes in Detecting changes in the rate the rate of a of a Poisson process

Detecting changes in Detecting changes in the rate the rate of a of a Poisson process Poisson process George V. Moustakides Outline Overview of the change detection problem CUSUM test and Lordens criterion The Poisson

454 views • 28 slides
Security Psychology Topics Weve Covered Ethics XSS CSRF SQL injection

Security Psychology Topics Weve Covered Ethics XSS CSRF SQL injection

Security Psychology Topics Weve Covered Ethics XSS CSRF SQL injection Passwords Command injection Scanning Malware Most of these attacks are enabled by social engineering. Todays Class Pretexting

516 views • 26 slides
Bypassing CSRF Protections A Double Defeat of the Double-Submit Cookie Pattern About Me

Bypassing CSRF Protections A Double Defeat of the Double-Submit Cookie Pattern About Me

Bypassing CSRF Protections A Double Defeat of the Double-Submit Cookie Pattern About Me David Johansson (@securitybits) Security consultant since 2007 Helping clients design and build secure software Security training Based in

821 views • 25 slides
Detecting

Detecting

Detecting Cognitive Load during Simultaneous Interpretation using EEG Phase Synchronization

552 views • 32 slides
Web Security: Sessions; CSRF; start on authentication CS 161: Computer Security Prof. Raluca

Web Security: Sessions; CSRF; start on authentication CS 161: Computer Security Prof. Raluca

Web Security: Sessions; CSRF; start on authentication CS 161: Computer Security Prof. Raluca Ada Popa Nov 10, 2016 Credit: some slides are adapted from previous offerings of this course or from CS 241 of Prof. Dan Boneh Announcements Proj 3

1.32k views • 66 slides
Detecting and Detecting and Characterizing Heterogeneity Characterizing Heterogeneity

Detecting and Detecting and Characterizing Heterogeneity Characterizing Heterogeneity

Detecting and Detecting and Characterizing Heterogeneity Characterizing Heterogeneity (Biochemical or Conformational) (Biochemical or Conformational) by Cryo-EM by Cryo-EM Eva Nogales HHMI / UC Berkeley LBNL Seth Kostek Transcription

492 views • 34 slides
Cross-Site Request Forgeries (CSRF) &amp; Path Traversal Professor Larry Heimann Web Application

Cross-Site Request Forgeries (CSRF) &amp; Path Traversal Professor Larry Heimann Web Application

Cross-Site Request Forgeries (CSRF) &amp; Path Traversal Professor Larry Heimann Web Application Security Information Systems Lab 2 Review on XSS Hacker Wall of Fame (Lab 2 members in italics) Renzo Bautista (2x) Ann Chen Luke

676 views • 20 slides
Cross-Site Request Forgeries (CSRF) &amp; Path Traversal Professor Larry Heimann Web Application

Cross-Site Request Forgeries (CSRF) &amp; Path Traversal Professor Larry Heimann Web Application

Cross-Site Request Forgeries (CSRF) &amp; Path Traversal Professor Larry Heimann Web Application Security Information Systems Lab 3 Review Fastest crackers Melaine Freeman Lan Betancourt Chris Compendio Matthew Nielsen Ivy

292 views • 18 slides

More recommend