web security session management and csrf
play

Web Security: Session management and CSRF CS 161: Computer Security - PowerPoint PPT Presentation

Oct 12, 2023 •103 likes •522 views

Web Security: Session management and CSRF CS 161: Computer Security Prof. Raluca Ada Popa April 5, 2018 Credit: this deck is a combination of my slides and slide adaptations from previous offerings of this course and from CS 241 of Prof. Dan

  1. Web Security: Session management and CSRF CS 161: Computer Security Prof. Raluca Ada Popa April 5, 2018 Credit: this deck is a combination of my slides and slide adaptations from previous offerings of this course and from CS 241 of Prof. Dan Boneh

  2. Cookie policy versus same-origin policy

  3. Cookie policy: when browser sends cookie Server GET //URL-domain/URL-path Cookie: NAME = VALUE A cookie with domain = example.com, and path = /some/path/ will be included on a request to http://foo.example.com/some/path/subdirectory/hello.txt

  4. Cookie policy versus same-origin policy Consider Javascript on a page loaded from a URL U If a cookie is in scope for a URL U, it can be accessed by Javascript loaded on the page with URL U, unless the cookie has the httpOnly flag set.

  5. Examples cookie 1 cookie 2 name = userid name = userid value = u1 value = u2 domain = login.site.com domain = .site.com path = / path = / non-secure non-secure cookie: userid=u2 http://checkout.site.com/ cookie: userid=u1, userid=u2 http://login.site.com/ http://othersite.com/ cookie: none JS on each of these URLs can access all cookies that would be sent for that URL if the httpOnly flag is not set

  6. Indirectly bypassing same-origin policy using cookie policy Since the cookie policy and the same-origin policy are different, there are corner cases when one can use cookie policy to bypass same-origin policy Ideas how?

  7. Example Victim user browser financial.example.com web server Cookie domains: blog.example.com financial.example.com web server blog.example.com (assume attacker compromised this web server) Browsers maintain a separate cookie jar per domain group, such as one jar for *.example.com cookie jar for *.example.com to avoid one domain filling up the jar and affecting another domain. Each browser decides at what granularity to group domains.

  8. Example Victim user browser financial.example.com web server GET example.com set-cookie: blog.example.com financial.example.com web server blog.example.com (assume attacker compromised this web server) example.com Attacker sets many cookies with domain example.com which overflows the cookie jar for domain cookie jar for *.example.com *.example.com and overwrites cookies from financial.example.com

  9. Example Victim user browser financial.example.com web server example.com blog.example.com example.com web server example.com (assume attacker compromised this web server) example.com Attacker sets many cookies with domain example.com which overflows the cookie jar for domain cookie jar for *.example.com *.example.com and overwrites cookies from financial.example.com

  10. Example Victim user browser financial.example.com GET web server example.com When Alice visits financial.example.com, the example.com browser automatically attaches the attacker’s example.com cookies due to cookie policy (the scope of the example.com cookies is a domain suffix of financial.example.com) cookie jar for *.example.com Why is this a problem?

  11. Indirectly bypassing same-origin policy using cookie policy Victim thus can login into attackers account at financial.example.com This is a problem because the victim might think its their account and might provide sensitive information This bypassed same-origin policy (indirectly) because blog.example.com influenced financial.example.com

  12. RFC6265 - For further details on cookies, checkout the standard RFC6265 “HTTP State Management Mechanism” https://tools.ietf.org/html/rfc6265 - Browsers are expected to implement this reference, and any differences are browser specific

  13. Session management

  14. Sessions A sequence of requests and responses from one browser to one (or more) sites n Session can be long (Gmail - two weeks) or short n without session mgmt: users would have to constantly re-authenticate Session mgmt: n Authorize user once; n All subsequent requests are tied to user

  15. Pre-history: HTTP auth One username and password for a group of users HTTP request: GET /index.html HTTP response contains: WWW-Authenticate: Basic realm="Password Required“ Browsers sends hashed password on all subsequent HTTP requests: Authorization: Basic ZGFddfibzsdfgkjheczI1NXRleHQ=

  16. HTTP auth problems Hardly used in commercial sites n User cannot log out other than by closing browser w What if user has multiple accounts? w What if multiple users on same computer? n Site cannot customize password dialog n Confusing dialog to users n Easily spoofed

  17. Session tokens Browser Web Site GET /index.html set anonymous session token GET /books.html anonymous session token POST /do-login check Username & password credentials (later) elevate to a logged-in session token POST /checkout Validate logged-in session token token

  18. Storing session tokens: Lots of options (but none are perfect) • Browser cookie: Set-Cookie: SessionToken=fduhye63sfdb • Embedd in all URL links: https://site.com/checkout ? SessionToken=kh7y3b • In a hidden form field: <input type=“hidden” name=“sessionid” value=“kh7y3b”>

  19. Storing session tokens: problems • Browser cookie: browser sends cookie with every request, even when it should not (CSRF) • Embed in all URL links: token leaks via HTTP Referer header users might share URLs • In a hidden form field: short sessions only Better answer: a combination of all of the above (e.g., browser cookie with CSRF protection using form secret tokens)

  20. Cross Site Request Forgery

  21. – – – – – – – – – – – – Top web vulnerabilities – – – – – – – OWASP Top 10 – 2013 (New) OWASP Top 10 – 2010 (Previous) – – – A1 – Injection – – A1 – Injection – – – – A3 – Broken Authentication and Session Management – A2 – Broken Authentication and Session Management – – – – – A2 – Cross-Site Scripting (XSS) – A3 – Cross-Site Scripting (XSS) – – – – – A4 – Insecure Direct Object References – A4 – Insecure Direct Object References – – – – – – A5 – Security Misconfiguration A6 – Security Misconfiguration – – – – – � � – – – – – – A7 – Insecure Cryptographic Storage – Merged with A9 � � – – – A6 – Sensitive Data Exposure � � – – – – – – A8 – Failure to Restrict URL Access – Broadened into � � – – A7 – Missing Function Level Access Control – – – – – – A8 – Cross-Site Request Forgery (CSRF) A5 – Cross-Site Request Forgery (CSRF) – – – A9 – Using Known Vulnerable Components <buried in A6: Security Misconfiguration> – – – – – – – – – – – – – 21

  22. HTML Forms Allow a user to provide some data which gets sent with an HTTP POST request to a server <form action="bank.com/action.php"> First name: <input type="text" name="firstname"> Last name:<input type="text" name="lastname"> <input type="submit" value="Submit"></form> When filling in Alice and Smith, and clicking submit, the browser issues HTTP POST request bank.com/action.php?firstname=Alice&lastname=Smith As always, the browser attaches relevant cookies

  23. Consider cookie storing session token Server assigns a session token to each user after they logged in, places it in the cookie The server keeps a table of username to current session token, so when it sees the session token it knows which user

  24. Session using cookies Browser Server

  25. Basic picture Server Victim bank.com 1 4 2 User Victim cookie for Attack Server bank.com with session token What can go bad? URL contains transaction action

  26. Cross Site Request Forgery (CSRF) Example: n User logs in to bank.com w Session cookie remains in browser state n User visits malicious site containing: <form name=F action=http://bank.com/BillPay.php> <input name=recipient value=badguy> … <script> document.F.submit(); </script> n Browser sends user auth cookie with request w Transaction will be fulfilled Problem: n cookie auth is insufficient when side effects occur

  27. Form post with cookie Cookie: SessionID=523FA4cd2E User credentials

  28. Form post with cookie Cookie: SessionID=523FA4cd2E User credentials

  29. Squigler demo

  30. 2008 CSRF attack An attacker could add videos to a user’s "Favorites," • add himself to a user’s "Friend" or "Family" list, • send arbitrary messages on the user’s behalf, • flagged videos as inappropriate, • automatically shared a video with a user’s contacts, • subscribed a user to a "channel" (a set of videos published by one person or group), and added videos to a user’s "QuickList" (a list of videos • a user intends to watch at a later point).

  32. Defenses ideas?

  33. CSRF Defenses CSRF token <input type=hidden value=23a3af01b> Referer Validation Referer: http://www.facebook.com/home.php Others (e.g., custom HTTP Header) we won’t go into

Recommend

Attacking Session Management Professor Larry Heimann Web Application Security Information Systems

Attacking Session Management Professor Larry Heimann Web Application Security Information Systems

Attacking Session Management Professor Larry Heimann Web Application Security Information Systems Lab 3 Review on CSRF &amp; Path Traversal Hacker Wall of Fame (Lab 3 members in italics) Jacob Buckheit (2x) Jenny Zhu Ti ff any Chen

238 views • 13 slides
CLICK HERE.exe XSS &amp; CSRF Security Meetup Month 2 of 12 (February) Last month: SQL

CLICK HERE.exe XSS &amp; CSRF Security Meetup Month 2 of 12 (February) Last month: SQL

CLICK HERE.exe XSS &amp; CSRF Security Meetup Month 2 of 12 (February) Last month: SQL Injections This month: XSS / CSRF Next month: DDoS / DoS Meetup Group for times/dates https://www.meetup.com/CLICK_HERE-exe/ Plan of Attack

1.76k views • 58 slides
This time Continuing with Web Security Cookies XSS &amp; CSRF Required reading for this

This time Continuing with Web Security Cookies XSS &amp; CSRF Required reading for this

This time Continuing with Web Security Cookies XSS &amp; CSRF Required reading for this lecture: Web Security: Are You Part Of The Problem? Cross Site Request Forgery: An Introduction HTTP GET requests Contain headers.

1.77k views • 148 slides
Web Security: Sessions; CSRF; start on authentication CS 161: Computer Security Prof. Raluca

Web Security: Sessions; CSRF; start on authentication CS 161: Computer Security Prof. Raluca

Web Security: Sessions; CSRF; start on authentication CS 161: Computer Security Prof. Raluca Ada Popa Nov 10, 2016 Credit: some slides are adapted from previous offerings of this course or from CS 241 of Prof. Dan Boneh Announcements Proj 3

1.32k views • 66 slides
CSRF 101 Aaron Bishop | CISSP | OSCP Principal Penetration Tester - SecurityMetrics Cross-Site

CSRF 101 Aaron Bishop | CISSP | OSCP Principal Penetration Tester - SecurityMetrics Cross-Site

CSRF 101 Aaron Bishop | CISSP | OSCP Principal Penetration Tester - SecurityMetrics Cross-Site Request Forgery Definition Example OWASP: Login: csrf.vulnerable.page Cross-Site Request Forgery Set-Cookie:session=1a2b3c; (CSRF) is an attack

721 views • 14 slides
Security Psychology Topics Weve Covered Ethics XSS CSRF SQL injection

Security Psychology Topics Weve Covered Ethics XSS CSRF SQL injection

Security Psychology Topics Weve Covered Ethics XSS CSRF SQL injection Passwords Command injection Scanning Malware Most of these attacks are enabled by social engineering. Todays Class Pretexting

516 views • 26 slides
More attacks on Clients: Clickjacking/UI redressing, CSRF (Section 7.2.3 on Clickjacking;

More attacks on Clients: Clickjacking/UI redressing, CSRF (Section 7.2.3 on Clickjacking;

Software and Web Security 2 More attacks on Clients: Clickjacking/UI redressing, CSRF (Section 7.2.3 on Clickjacking; Section 7 2 7 on CSRF) Section 7.2.7 on CSRF) sws2 1 2 Clickjacking &amp; UI redressing sws2 Click jacking &amp; UI

409 views • 29 slides
Cross-Site Request Forgeries (CSRF) &amp; Path Traversal Professor Larry Heimann Web Application

Cross-Site Request Forgeries (CSRF) &amp; Path Traversal Professor Larry Heimann Web Application

Cross-Site Request Forgeries (CSRF) &amp; Path Traversal Professor Larry Heimann Web Application Security Information Systems A different and trickier threat - CSRF Often referred to as sleeping giant of vulnerabilities because

440 views • 16 slides
Bypassing CSRF Protections A Double Defeat of the Double-Submit Cookie Pattern About Me

Bypassing CSRF Protections A Double Defeat of the Double-Submit Cookie Pattern About Me

Bypassing CSRF Protections A Double Defeat of the Double-Submit Cookie Pattern About Me David Johansson (@securitybits) Security consultant since 2007 Helping clients design and build secure software Security training Based in

821 views • 25 slides
A8: Cross-site Request Forgery (CSRF) A8: Cross-site Request Forgery (CSRF) XSS Trick

A8: Cross-site Request Forgery (CSRF) A8: Cross-site Request Forgery (CSRF) XSS Trick

A8: Cross-site Request Forgery (CSRF) A8: Cross-site Request Forgery (CSRF) XSS Trick browser to execute code without user knowledge CSRF Trick browser to access sensitive pages without user knowledge CSRF Vulnerability Pattern

284 views • 11 slides
Table of Contents Berner Fachhochschule, Technik und Informatik Cross Site Request Forgery - CSRF

Table of Contents Berner Fachhochschule, Technik und Informatik Cross Site Request Forgery - CSRF

Table of Contents Berner Fachhochschule, Technik und Informatik Cross Site Request Forgery - CSRF Presentation Vulnerability Advanced Web Technology CSRF allows to access the intranet Protection 10) XSS, CSRF and SQL Injection

559 views • 10 slides
Web Security, Summer Term 2012 Brocken Authentication and Session Management Dr. E. Benoist

Web Security, Summer Term 2012 Brocken Authentication and Session Management Dr. E. Benoist

IIG University of Freiburg Web Security, Summer Term 2012 Brocken Authentication and Session Management Dr. E. Benoist Sommer Semester Web Security, Summer Term 2012 7 Broken Authentication and Session Management 1 Table of Contents

641 views • 24 slides
Browser Security Part 2 Recap XSS 3 different types Common aim/theme Steal user

Browser Security Part 2 Recap XSS 3 different types Common aim/theme Steal user

Browser Security Part 2 Recap XSS 3 different types Common aim/theme Steal user credentials (session ID, cookies, etc.) CSRF Cross-Site Request Forgery is an attack that forces an end user to execute unwanted actions on a

428 views • 23 slides
CSRF Recall: Session using Cookies Browser Server POST/login.cgi r o a t c i n t e h

CSRF Recall: Session using Cookies Browser Server POST/login.cgi r o a t c i n t e h

CSRF Recall: Session using Cookies Browser Server POST/login.cgi r o a t c i n t e h t u a e : i o k o c t - e S G E T C o o k i e : a u t h e n t i c a t o r e s n o p s e r How it

363 views • 17 slides
Web security II With material from Dave Levin, Mike Hicks, Lujo Bauer, Collin Jackson Previously

Web security II With material from Dave Levin, Mike Hicks, Lujo Bauer, Collin Jackson Previously

Web security II With material from Dave Levin, Mike Hicks, Lujo Bauer, Collin Jackson Previously Web basics SQL injection Today Stateful web Cookie hijacking Session fixation CSRF Dynamic web and XSS Adding state to

1k views • 69 slides
Cross-Site Request Forgeries (CSRF) &amp; Path Traversal Professor Larry Heimann Web Application

Cross-Site Request Forgeries (CSRF) &amp; Path Traversal Professor Larry Heimann Web Application

Cross-Site Request Forgeries (CSRF) &amp; Path Traversal Professor Larry Heimann Web Application Security Information Systems Lab 3 Review Fastest crackers Melaine Freeman Lan Betancourt Chris Compendio Matthew Nielsen Ivy

292 views • 18 slides
Cross-Site Request Forgeries (CSRF) &amp; Path Traversal Professor Larry Heimann Web Application

Cross-Site Request Forgeries (CSRF) &amp; Path Traversal Professor Larry Heimann Web Application

Cross-Site Request Forgeries (CSRF) &amp; Path Traversal Professor Larry Heimann Web Application Security Information Systems Lab 2 Review on XSS Hacker Wall of Fame (Lab 2 members in italics) Renzo Bautista (2x) Ann Chen Luke

676 views • 20 slides
XSS &amp; CSRF Alex Infhr Whoami Alex Infhr @insertscript Cure53 MS IE Team

XSS &amp; CSRF Alex Infhr Whoami Alex Infhr @insertscript Cure53 MS IE Team

XSS &amp; CSRF Alex Infhr Whoami Alex Infhr @insertscript Cure53 MS IE Team Browser PDF / file formats B Shark movies Topics of today XSS Cross Site Scripting XSRF/CSRF Cross Site Request Forgery

893 views • 56 slides
Advanced Web Technology 10) XSS, CSRF and SQL Injection Dr. E. Benoist Fall Semester 2010/2011

Advanced Web Technology 10) XSS, CSRF and SQL Injection Dr. E. Benoist Fall Semester 2010/2011

Berner Fachhochschule, Technik und Informatik Advanced Web Technology 10) XSS, CSRF and SQL Injection Dr. E. Benoist Fall Semester 2010/2011 Advanced Web Technology 10) XSS, CSRF and SQL Injection 1 Table of Contents Cross Site Request

659 views • 39 slides
Session Management e t Software and Web Security 2 a age Sess o sws2 Recall from last week

Session Management e t Software and Web Security 2 a age Sess o sws2 Recall from last week

1 Session Management e t Software and Web Security 2 a age Sess o sws2 Recall from last week Server and client, i ie. web application and browser, b li ti d b communicate by HTTP requests and responses HTTP response can be

631 views • 44 slides
Web Security and Auth Shan-Hung Wu CS, NTHU Outline Security risks of web applications

Web Security and Auth Shan-Hung Wu CS, NTHU Outline Security risks of web applications

Web Security and Auth Shan-Hung Wu CS, NTHU Outline Security risks of web applications Injection, broken authentication , XSS, CSRF, etc. Checklist of 23 Node.js security best practices Auth: Authentication, authorization, and

336 views • 30 slides
Web Security! Big Picture: Browser and Network request website Browser reply OS Network

Web Security! Big Picture: Browser and Network request website Browser reply OS Network

CSE 484 / CSE M 584: Computer Security and Privacy CSRF and XSS attacks Fall 2016 Ada (Adam) Lerner lerner@cs.washington.edu Thanks to Franzi Roesner, Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, John Manferdelli, John Mitchell,

1.29k views • 59 slides
INFORMATION MANAGEMENT AND SECURITY FOR FEDERAL CONTRACTORS ( CYBER SECURITY SERIES PART 1 OF 5)

INFORMATION MANAGEMENT AND SECURITY FOR FEDERAL CONTRACTORS ( CYBER SECURITY SERIES PART 1 OF 5)

INFORMATION MANAGEMENT AND SECURITY FOR FEDERAL CONTRACTORS ( CYBER SECURITY SERIES PART 1 OF 5) ACQUISITION HOUR WEBINAR September 24, 2019 9/24/2019 WEBINAR ETIQUETTE PLEASE Log into the GoToMeeting session with the name that you

862 views • 71 slides
Europes Management of Space Hybrid Threats Dr. Jana Robinson, Space Security Program Director

Europes Management of Space Hybrid Threats Dr. Jana Robinson, Space Security Program Director

2018 International Astronautical Congress, Bremen, Session D5.4., October 5, 2018 Europes Management of Space Hybrid Threats 2018 International Astronautical Congress Session D5.4. Cyber-security threats to space missions and countermeasures

219 views • 11 slides

More recommend