CSRF is dead“Long live CSRF!”

Daniel Tomescu

Up next:

• What is CSRF?

• Tips & tricks

• Is it really gone?

• A few attack scenarios

• What went wrong?

• Questions and (hopefully) Answers

2

About me

Work and education: Pentester @ KPMG Romania

Moderator @ Romanian Security Team

MSc. Eng. @ University “Politehnica” of Bucharest

OSCP, CREST Registered Penetration Tester

Interests:Web app security

Internal network penetration tests

Red / Blue Teaming

Curious about mobile and embedded devices

Bug bounty hunter3

Whoami

About CSRF

4

GET http://bank.com/transfer.do?acct=MARIA&amount=100

<img src="http://bank.com/transfer.do?acct=MARIA&amount=100">

<form action="http://bank.com/transfer.do" method=“GET">

<input type="hidden" name="acct" value="MARIA"/>

<input type="hidden" name="amount" value="100"/>

<input type="submit" value=“Sumbmit"/>

</form>

About CSRF Prevention

5

• CSRF Tokens

• Check source origin

6

• SameSite cookie flag

• Lacks support and adoption

• Different session management

• Authorization bearer

• Local storage

• Websockets

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

• Removed from OWASP Top 10 2017

• Not as frequent as before

• Overall risk of CSRF vulnerabilities is not that high

About CSRF Prevention

I. The trouble with web browsers

7

• Trade-off between security and usability

• CSRF is an application issue, not a browser issue;

• Standards… are not always followed consistently

• SameSite cookie flag

• Must work in complex network environments

• Cannot segregate between internet and intranet networks

I. From internet to intranet

8

Visiting a malicious website:

1. Detect the victim’s local IP address:

Demo: http://portswigger-labs.net/hackability/

WebRTC is your friend.

9

I. From internet to intranet

Visiting a malicious website:

1. Detect the victim’s local IP address;

2. Guess the router’s IP address:

Probably it is the gateway: 192.168.1.1 or 192.168.1.254

The web management interface is probably accessible on a common port:

80, 443, 8080, 8443, 8888

10

I. From internet to intranet

Visiting a malicious website:

1. Detect the victim’s local IP address;

2. Guess the router’s IP address;

3. Detect router type using a simple trick: trying to access router images (logo, backdround, icons) which can be accessed without authentication:

11

I. From internet to intranet

Visiting a malicious website:

1. Detect the victim’s local IP address;

2. Guess the router’s IP address;

3. Detect router type;

4. Login in the Router’s web administration interface:

Logon CSRF ?

Default credentials? admin : admin

12

I. From internet to intranet

Visiting a malicious website:

1. Detect the victim’s local IP address;

2. Guess the router’s IP address;

3. Detect router type;

4. Login in the Router’s web administration interface;

5. Exploit other CSRF vulnerabilities in the Router’s web interface:

Change DHCP settings;

Change DNS settings;

Update firmware – which will probably brick the router;

Restart router for changes to take effect.

13

I. From internet to intranet

Visiting a malicious website:

1. Detect the victim’s local IP address;

2. Guess the router’s IP address;

3. Detect router type;

4. Login in the Router’s web administration interface;

5. Exploit other CSRF vulnerabilities in the Router’s web interface;

6. Configure a Captive Portal!

14

I. Captive portal

Visiting a malicious website:

1. Detect the victim’s local IP address;

2. Guess the router’s IP address;

3. Detect router type;

4. Login in the Router’s web administration interface;

5. Exploit other CSRF vulnerabilities in the Router’s web interface;

6. Configure a Captive Portal!

15

I. Captive portal

Visiting a malicious website:

1. Detect the victim’s local IP address;

2. Guess the router’s IP address;

3. Detect router type;

4. Login in the Router’s web administration interface;

5. Exploit other CSRF vulnerabilities in the Router’s web interface;

6. Configure a Captive Portal and ask for Integrated Windows Authentication (NTLM-SSP)

16

I. Captive portal

Captive Portal with Integrated Windows Authentication (NTLM-SSP):

Can be simulated with Responder, https://github.com/SpiderLabs/Responder

NTLMv1 / NTLMv2 handshakes can be bruteforced;

The obtained credentials might be used to RDP into the victim’s computer or to execute commands over SMB using PsExec or similar tools (Administrative privileges required)

17

I. Captive portal

I. New VPN?

18

Obtain access to the intranet by configuring a VPN:

1. Configure VPN on router;

2. Connect to the VPN from outside (?);

3. Pivot in the internal network

I. What went wrong?

19

1. Internet requests can touch the internal network

2. Weak / default router configuration

3. Improper network segregation

4. IPS / IDS / Antivirus failure

II. Cross-Site Printing

20

https://hacking-printers.net/wiki/index.php/Cross-site_printing

1. Scan internal network for printers using cross-site requests

2. Target port 9100 – can be used for raw printing

3. Send cross-site requests to print arbitrary data from the internet!

II. Cross-Site Printing (2)

21

Demo: http://hacking-printers.net/xsp/

II. Attacks for fun and profit

22

1. Print fake invoices

2. Print fake salary reports

3. Print fake emails

4. Blackmail / scare the receiver

II. What went wrong?

23

1. Web browsers allowing CSRF to port 9100

2. Weak / default printer configuration

3. Improper network segregation

4. IPS / IDS / Antivirus failure

III. Cross-site identity disclosure

24

1. You are registered on a website:

• TheLegend47 @ https://funny-games.com

• Email address, a password, name (?)…

• Might be a fake identity, no real information given.

2. https://funny-games.com can initiate a simple cross-site request to https://some-popular-forum.com

1. Has the list of online users changed?

1. Yes, JohnDoe appears to be online now. Is this our victim?

2. No. Tough luck. Maybe try another target?

III. Possible targets

25

Vulnerable websites:

1. Most forum platforms

2. A few blogging platforms

3. A fair number of e-commerce websites

Common vulnerable functionalities:

• Online users;

• Last seen / last visit;

• Read / view notice;

III. Possible targets

26

Examples:

1. https://local-amazon-site.com/BikeShop/index.php

2. https://Some-Religion-Group.com/forums/home.php

3. https://popular-dating-site.com/profile.php

4. https://website-about-medical-stuff.com/cancerBlogs/video.php?id=1337

IV. What went wrong?

27

1. Lack of CSRF protection for apparently harmless requests

2. Insecure authentication / session management mechanisms

3. Failure to protect your user’s privacy;

4. IPS / IDS / Antivirus failure

III. Cross-Site login disclosure

28

Accessed page returns different HTTP code when user is logged in or logged out:

• 401, 403, 404…

• onerror event is triggered

• 20x (login page is displayed) , 30x (redirect to login page)

• onerror event is NOT triggered;

IV. More magic with cross-site requests

29

Tampering with online polls:

1. Vulnerable to CSRF?

2. Restrictions:

1. One vote per IP?

2. User logged in?

• Contact forms?

• Abuse reports?

Do you want us to remove the second factor authentication mechanism?

IV. Application level DoS

30

https://some-website.com/generatePicture.php?height=800&width=400

• https://some-website.com/generatePicture.php?height=800&width=400

• https://some-website.com/generatePicture.php?height=1000000&width=1000000

• https://some-website.com/includeJS.php?script=jquery.js,toolbox.js

• https://some-website.com/includeJS.php?script=jquery.js, jquery.js, jquery.js, jquery.js, jquery.js, jquery.js, jquery.js, jquery.js, jquery.js, jquery.js, jquery.js, jquery.js, jquery.js, jquery.js, jquery.js, jquery.js, jquery.js, jquery.js, jquery.js, jquery.js, jquery.js, jquery.js, jquery.js, jquery.js, jquery.js, jquery.js, jquery.js, jquery.js, jquery.js, jquery.js, jquery.js, jquery.js, jquery.js, jquery.js, jquery.js, jquery.js, jquery.js, jquery.js, jquery.js, jquery.js, jquery.js, jquery.js, jquery.js, jquery.js, jquery.js, jquery.js, jquery.js, jquery.js, jquery.js, jquery.js, jquery.js, jquery.js, jquery.js, jquery.js, jquery.js, jquery.js, jquery.js, jquery.js, jquery.js, jquery.js, jquery.js, jquery.js, jquery.js, jquery.js, jquery.js, jquery.js, jquery.js, jquery.js, jquery.js, jquery.js, jquery.js, jquery.js, jquery.js, jquery.js, jquery.js

IV. Application level DoS

31

1. Requests from a server / a few servers:

• Easy to block / blacklist in firewalls

• Might allow tracking back to the attacker

2. Requests from a botnet

• Not so easy to block;

• Might compromise the botnet’s zombies

3. Requests originating from the visitors of a rogue website

• Not so easy to block, the visitors are genuine;

• Hard to trace back the attacker

• Hard to trace back the rogue website

IV. What went wrong?

32

1. Lack of CSRF protection for apparently harmless tasks

2. Improper authorization / authentication mechanisms

3. Application-level DoS

4. IPS / IDS / Antivirus failure

Questions?

33

Thank you!

34

Mail: mail@daniel-tomescu.comLinkedIn: https://www.linkedin.com/in/daniel-tomescu/