Upload
others
View
8
Download
0
Embed Size (px)
Citation preview
CSRF is dead“Long live CSRF!”
Daniel Tomescu
Up next:
• What is CSRF?
• Tips & tricks
• Is it really gone?
• A few attack scenarios
• What went wrong?
• Questions and (hopefully) Answers
2
About me
Work and education: Pentester @ KPMG Romania
Moderator @ Romanian Security Team
MSc. Eng. @ University “Politehnica” of Bucharest
OSCP, CREST Registered Penetration Tester
Interests:Web app security
Internal network penetration tests
Red / Blue Teaming
Curious about mobile and embedded devices
Bug bounty hunter3
Whoami
About CSRF
4
GET http://bank.com/transfer.do?acct=MARIA&amount=100
<img src="http://bank.com/transfer.do?acct=MARIA&amount=100">
<form action="http://bank.com/transfer.do" method=“GET">
<input type="hidden" name="acct" value="MARIA"/>
<input type="hidden" name="amount" value="100"/>
<input type="submit" value=“Sumbmit"/>
</form>
About CSRF Prevention
5
• CSRF Tokens
• Check source origin
6
• SameSite cookie flag
• Lacks support and adoption
• Different session management
• Authorization bearer
• Local storage
• Websockets
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
• Removed from OWASP Top 10 2017
• Not as frequent as before
• Overall risk of CSRF vulnerabilities is not that high
About CSRF Prevention
I. The trouble with web browsers
7
• Trade-off between security and usability
• CSRF is an application issue, not a browser issue;
• Standards… are not always followed consistently
• SameSite cookie flag
• Must work in complex network environments
• Cannot segregate between internet and intranet networks
I. From internet to intranet
8
Visiting a malicious website:
1. Detect the victim’s local IP address:
Demo: http://portswigger-labs.net/hackability/
WebRTC is your friend.
9
I. From internet to intranet
Visiting a malicious website:
1. Detect the victim’s local IP address;
2. Guess the router’s IP address:
Probably it is the gateway: 192.168.1.1 or 192.168.1.254
The web management interface is probably accessible on a common port:
80, 443, 8080, 8443, 8888
10
I. From internet to intranet
Visiting a malicious website:
1. Detect the victim’s local IP address;
2. Guess the router’s IP address;
3. Detect router type using a simple trick: trying to access router images (logo, backdround, icons) which can be accessed without authentication:
11
I. From internet to intranet
Visiting a malicious website:
1. Detect the victim’s local IP address;
2. Guess the router’s IP address;
3. Detect router type;
4. Login in the Router’s web administration interface:
Logon CSRF ?
Default credentials? admin : admin
12
I. From internet to intranet
Visiting a malicious website:
1. Detect the victim’s local IP address;
2. Guess the router’s IP address;
3. Detect router type;
4. Login in the Router’s web administration interface;
5. Exploit other CSRF vulnerabilities in the Router’s web interface:
Change DHCP settings;
Change DNS settings;
Update firmware – which will probably brick the router;
Restart router for changes to take effect.
13
I. From internet to intranet
Visiting a malicious website:
1. Detect the victim’s local IP address;
2. Guess the router’s IP address;
3. Detect router type;
4. Login in the Router’s web administration interface;
5. Exploit other CSRF vulnerabilities in the Router’s web interface;
6. Configure a Captive Portal!
14
I. Captive portal
Visiting a malicious website:
1. Detect the victim’s local IP address;
2. Guess the router’s IP address;
3. Detect router type;
4. Login in the Router’s web administration interface;
5. Exploit other CSRF vulnerabilities in the Router’s web interface;
6. Configure a Captive Portal!
15
I. Captive portal
Visiting a malicious website:
1. Detect the victim’s local IP address;
2. Guess the router’s IP address;
3. Detect router type;
4. Login in the Router’s web administration interface;
5. Exploit other CSRF vulnerabilities in the Router’s web interface;
6. Configure a Captive Portal and ask for Integrated Windows Authentication (NTLM-SSP)
16
I. Captive portal
Captive Portal with Integrated Windows Authentication (NTLM-SSP):
Can be simulated with Responder, https://github.com/SpiderLabs/Responder
NTLMv1 / NTLMv2 handshakes can be bruteforced;
The obtained credentials might be used to RDP into the victim’s computer or to execute commands over SMB using PsExec or similar tools (Administrative privileges required)
17
I. Captive portal
I. New VPN?
18
Obtain access to the intranet by configuring a VPN:
1. Configure VPN on router;
2. Connect to the VPN from outside (?);
3. Pivot in the internal network
I. What went wrong?
19
1. Internet requests can touch the internal network
2. Weak / default router configuration
3. Improper network segregation
4. IPS / IDS / Antivirus failure
II. Cross-Site Printing
20
https://hacking-printers.net/wiki/index.php/Cross-site_printing
1. Scan internal network for printers using cross-site requests
2. Target port 9100 – can be used for raw printing
3. Send cross-site requests to print arbitrary data from the internet!
II. Cross-Site Printing (2)
21
Demo: http://hacking-printers.net/xsp/
II. Attacks for fun and profit
22
1. Print fake invoices
2. Print fake salary reports
3. Print fake emails
4. Blackmail / scare the receiver
II. What went wrong?
23
1. Web browsers allowing CSRF to port 9100
2. Weak / default printer configuration
3. Improper network segregation
4. IPS / IDS / Antivirus failure
III. Cross-site identity disclosure
24
1. You are registered on a website:
• TheLegend47 @ https://funny-games.com
• Email address, a password, name (?)…
• Might be a fake identity, no real information given.
2. https://funny-games.com can initiate a simple cross-site request to https://some-popular-forum.com
1. Has the list of online users changed?
1. Yes, JohnDoe appears to be online now. Is this our victim?
2. No. Tough luck. Maybe try another target?
III. Possible targets
25
Vulnerable websites:
1. Most forum platforms
2. A few blogging platforms
3. A fair number of e-commerce websites
Common vulnerable functionalities:
• Online users;
• Last seen / last visit;
• Read / view notice;
III. Possible targets
26
Examples:
1. https://local-amazon-site.com/BikeShop/index.php
2. https://Some-Religion-Group.com/forums/home.php
3. https://popular-dating-site.com/profile.php
4. https://website-about-medical-stuff.com/cancerBlogs/video.php?id=1337
IV. What went wrong?
27
1. Lack of CSRF protection for apparently harmless requests
2. Insecure authentication / session management mechanisms
3. Failure to protect your user’s privacy;
4. IPS / IDS / Antivirus failure
III. Cross-Site login disclosure
28
Accessed page returns different HTTP code when user is logged in or logged out:
• 401, 403, 404…
• onerror event is triggered
• 20x (login page is displayed) , 30x (redirect to login page)
• onerror event is NOT triggered;
IV. More magic with cross-site requests
29
Tampering with online polls:
1. Vulnerable to CSRF?
2. Restrictions:
1. One vote per IP?
2. User logged in?
• Contact forms?
• Abuse reports?
Do you want us to remove the second factor authentication mechanism?
IV. Application level DoS
30
https://some-website.com/generatePicture.php?height=800&width=400
• https://some-website.com/generatePicture.php?height=800&width=400
• https://some-website.com/generatePicture.php?height=1000000&width=1000000
• https://some-website.com/includeJS.php?script=jquery.js,toolbox.js
• https://some-website.com/includeJS.php?script=jquery.js, jquery.js, jquery.js, jquery.js, jquery.js, jquery.js, jquery.js, jquery.js, jquery.js, jquery.js, jquery.js, jquery.js, jquery.js, jquery.js, jquery.js, jquery.js, jquery.js, jquery.js, jquery.js, jquery.js, jquery.js, jquery.js, jquery.js, jquery.js, jquery.js, jquery.js, jquery.js, jquery.js, jquery.js, jquery.js, jquery.js, jquery.js, jquery.js, jquery.js, jquery.js, jquery.js, jquery.js, jquery.js, jquery.js, jquery.js, jquery.js, jquery.js, jquery.js, jquery.js, jquery.js, jquery.js, jquery.js, jquery.js, jquery.js, jquery.js, jquery.js, jquery.js, jquery.js, jquery.js, jquery.js, jquery.js, jquery.js, jquery.js, jquery.js, jquery.js, jquery.js, jquery.js, jquery.js, jquery.js, jquery.js, jquery.js, jquery.js, jquery.js, jquery.js, jquery.js, jquery.js, jquery.js, jquery.js, jquery.js, jquery.js
IV. Application level DoS
31
1. Requests from a server / a few servers:
• Easy to block / blacklist in firewalls
• Might allow tracking back to the attacker
2. Requests from a botnet
• Not so easy to block;
• Might compromise the botnet’s zombies
3. Requests originating from the visitors of a rogue website
• Not so easy to block, the visitors are genuine;
• Hard to trace back the attacker
• Hard to trace back the rogue website
IV. What went wrong?
32
1. Lack of CSRF protection for apparently harmless tasks
2. Improper authorization / authentication mechanisms
3. Application-level DoS
4. IPS / IDS / Antivirus failure
Questions?
33