Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
UNIVERSITI PUTRA MALAYSIA
MODELING OF POST-INCIDENT ROOT CAUSE ANALYSIS FOR CROSS SITE REQUEST FORGERY (CSRF) ATTACK
MOHD NAWAWI BIN MUSTAFA
FSKTM 2015 39
© CO
PYRI
GHT U
PM
MODELING OF POST-INCIDENT ROOT CAUSE ANALYSIS FOR
CROSS SITE REQUEST FORGERY (CSRF) ATTACK
By
MOHD NAWAWI BIN MUSTAFA
Thesis Submitted to the School of Graduate Studies, Universiti Putra Malaysia
in Fulfilment of the Requirements for the Master of Computer Science
JULY 2015
© CO
PYRI
GHT U
PM
All material contained within the thesis, including without limitation text, logos,
icons, photographs and all other artworks, is copyright material of Universiti
Putra Malaysia unless otherwise stated. Use may be made of any material
contained within the thesis for non-commercial purposes from the copyright
holder. Commercial use of material may only be made with the express, prior,
written permission of Universiti Putra Malaysia.
Copyright © Universiti Putra Malaysia
© CO
PYRI
GHT U
PM
DEDICATIONS
This thesis is dedicated to:
My beloved wife, Kartina bt. Omar.
Thank you for the support, encouragement and constant love.
Your sacrifice and contribution is my success secret.
Also to my supervisor, Dr. Mohd Taufik Abdullah
Your encouragement, support, advice and guidance is an outline
to my achievement.
Finally, to all my friends,
Thank you for the support and encouragement.
© CO
PYRI
GHT U
PM
i
ABSTRACT
Abstract of thesis presented to the Senate of Universiti Putra Malaysia in
fulfillment of the requirement for the Master of Computer Science
MODELING OF POST-INCIDENT ROOT CAUSE ANALYSIS FOR
CROSS SITE REQUEST FORGERY (CSRF) ATTACK
By
MOHD NAWAWI BIN MUSTAFA
JULY 2015
Supervisor : Dr. Mohd Taufik Abdullah
Faculty : Faculty of Computer Science and Information Technology
Abstract: With the advancement of ICT technology, especially on web
technologies, people have changes their way of doing this. Online
transactions have become more popular compared to physically going at the
specific location to do transactions. However, the advancement of web
technology has also introduced new security threats to the businesses and
the clients.
OWASP Top 10 security project has classifies web application security
incident into ten categories of most commonly exploited vulnerabilities. Even
© CO
PYRI
GHT U
PM
ii
though the countermeasures for those vulnerabilities have been available for
some time, the numbers of exploited web applications are increasing each
year. One of the factors that contributes to the increasing number of ICT
security incidents is failure to determine the root cause of an incident, thus
allowing the attacker to repeat an attack on the system in the future by
exploiting the same vulnerability.
This study will propose a model for post-incident root cause analysis to
determine the suitable countermeasures in rectifying the Cross Site Request
Forgery (CSRF) vulnerabilities. The proposed model were consists of attacker
component, countermeasure component and inference component.
The proposed model will be developed using Colored Petri Nets. CSRF attack
simulation was performed using Damn Vulnerable Web Application (DVWA)
as the target machine and tested based on recommendations by the previous
researchers.
To test the effectiveness of the developed model, the result of the CSRF
attack simulations were compared with results by other researchers in the
same category.
Hopefully, the proposed post-incident root cause analysis will benefit web
application developers, security auditors and other related parties to identify
and fix CSRF vulnerabilities on their web applications.
© CO
PYRI
GHT U
PM
iii
ABSTRAK
Abstrak tesis yang dikemukakan kepada Senat Universiti Putra Malaysia
sebagai memenuhi keperluan untuk ijazah Sarjana Sains Komputer
MODELING OF POST-INCIDENT ROOT CAUSE ANALYSIS FOR
CROSS SITE REQUEST FORGERY (CSRF) ATTACK
Oleh
MOHD NAWAWI BIN MUSTAFA
JULAI 2015
Penyelia : Dr. Mohd Taufik Abdullah
Fakulti : Fakulti Sains Komputer dan Teknologi Maklumat
Abstrak: Selaras dengan kemajuan teknologi ICT, terutamanya teknologi
web, masyarakat telah mengubah cara mereka melakukan kerja. Transaksi
atas talian telah menjadi semakin popular. Walaubagaimana pun, kemajuan
teknologi web telah memperkenalkan ancaman keselamatan baharu kepada
perniagaan and para pelanggan.
Projek keselamatan OWASP Top 10 telah mengklasifikasikan insiden
keselamatan aplikasi web kepada sepuluh kategori kelemahan yang biasa di
eksploit. Walaupun kaedah mengatasi kelemahan ini telah ada, bilangan
© CO
PYRI
GHT U
PM
iv
aplikasi web yang di eksploit terus meningkat setiap tahun. Antara factor yang
menyumbang kepada peningkatan insiden keselamatan ICT adalah
kegagalan mengenalpasti punca insiden tersebut yang membolehkan
pencerobohan berulang ke atas sistem berkenaan pada masa akan datang
dengan mengeksploit kelemahan yang sama.
Kajian ini akan mencadangkan sebuah model bagi menjalankan analisa
punca selepas insiden berlaku untuk mengenalpasti kaedah pengukuhan
yang sesuai bagi mengatasi kelemahan CSRF. Model yang dicadangkan
terdiri dari komponen penyerang, komponen pengukuhan dan komponen
analisa.
Model yang dicadangkan tersebut akan dibangunkan menggunakan Colored
Petri Nets. Simulasi bagi serangan CSRF dilakukan menggunakan aplikasi
DVWA sebagai sasaran serangan and di uji berdasarkan saranan oleh
pengkaji-pengkaji yang terdahulu.
Untuk mengkaji keberkesanan model yang dibangunkan, hasil simulasi
serangan CSRF yang dijalankan dibandingkan dengan hasil kajian oleh
pengkaji-pengkaji lain di dalam kategori yang sama.
Adalah diharapkan model bagi menjalankan analisa punca selepas insiden
berlaku yang dicadangkan ini akan dapat membantu pembangun aplikasi
web, pengaudit keselamatan dan lain-lain pihak yang berkenaan untuk
mengenalpasti and memperbaiki kelemahan CSRF pada aplikasi mereka.
© CO
PYRI
GHT U
PM
v
ACKNOWLEDGEMENTS
Alhamdulillah, all praises to Allah S.W.T for the strength and blessing in
completing this thesis.
I would like to express the deepest appreciation to my supervisor, Dr. Mohd
Taufik Abdullah, for the patient and truthful guidance and unlimited confidence
in me. I would also like to thank him for being an open person and for
encouraging and helping me to shape my interest and ideas. His guidance
helped me in all the time of research and writing of this thesis.
My sincere thanks and gratitude also dedicated to the Dean and members of
FSKTM for their endless support. Their care and support help me overcome
setbacks and stay focused on my graduate study. I deeply appreciate their
believed in me.
My greatest appreciation and friendship goes to my friends, especially in
Universiti Putra Malaysia, who were always a great support in all my struggles
and frustrations in my studies. Thanks to them for questioning me about my
ideas, helping me think rationally and even for hearing my problems.
Finally, I would like to thank my wife for always believing in me, for her
continuous love and their supports in my decisions. Without whom I could not
have made it here.
© CO
PYRI
GHT U
PM
vi
APPROVAL
This thesis was submitted to the Senate of Universiti Putra Malaysia and has
been accepted as fulfillment of the requirement for the degree Master of
Computer Science. The members of the Supervisory Committee were as
follows:
Mohd Taufik Abdullah, PhD
Faculty of Computer Science and Information Technology
Universiti Putra Malaysia
(Supervisor)
Zurina Mohd Hanapi, PhD
Faculty of Computer Science and Information Technology
Universiti Putra Malaysia
(Assessor)
Date: July 2015
© CO
PYRI
GHT U
PM
vii
DECLARATION
I declare that the thesis is my original work except for the quotations and
citations which have been duly acknowledged. I also declare that it has not
been previously submitted for any other degree at Universiti Putra Malaysia or
at any other institutions.
Signature : ___________________________
Name : MOHD NAWAWI BIN MUSTAFA
Matric No. : GS37498
Date : _______________
© CO
PYRI
GHT U
PM
viii
TABLE OF CONTENTS
ABSTRACT ................................................................................................................ i
ABSTRAK ................................................................................................................. iii
ACKNOWLEDGEMENTS .......................................................................................... v
APPROVAL ............................................................................................................... vi
DECLARATION ........................................................................................................ vii
LIST OF TABLES ...................................................................................................... x
LIST OF FIGURES .................................................................................................... xi
LIST OF ABBREVIATIONS ...................................................................................... xii
1.0 INTRODUCTION ............................................................................................ 1
1.1 Background ................................................................................................. 1
1.2 Problem Statement ...................................................................................... 1
1.3 Research Objective ..................................................................................... 2
1.4 Research Scope .......................................................................................... 3
1.5 Thesis Organization .................................................................................... 3
2.0 LITERATURE REVIEW .................................................................................. 5
2.1 Introduction ................................................................................................. 5
2.2 ICT Security Incident ................................................................................... 5
2.3 Cross Site Request Forgery ...................................................................... 14
2.4 Post-Incident Root Cause Analysis ........................................................... 15
2.5 Colored Petri Nets ..................................................................................... 16
2.6 Summary ................................................................................................... 18
3.0 METHODOLOGY.......................................................................................... 20
3.1 Introduction ............................................................................................... 20
3.2 Research Methodology.............................................................................. 20
3.3 Comparison with Previous Model .............................................................. 29
3.4 Summary ................................................................................................... 29
4.0 MODEL OF POST-INCIDENT ROOT CAUSE ANALYSIS FOR CROSS SITE REQUEST FORGERY (CSRF) ATTACK ................................................................. 30
4.1 Introduction ............................................................................................... 30
4.2 Modeling ................................................................................................... 30
4.2.1 Attacker Component ........................................................................... 31
4.2.2 Countermeasure Component ............................................................. 32
© CO
PYRI
GHT U
PM
ix
4.2.3 Inference Component ......................................................................... 33
4.2.4 Preliminary Model............................................................................... 34
4.3 Simulation ................................................................................................. 35
4.3.1 Topology ............................................................................................ 35
4.3.2 Parameter .......................................................................................... 36
4.3.3 Hardware and Software ...................................................................... 36
4.4 Summary ................................................................................................... 37
5.0 RESULT AND DISCUSSIONS ...................................................................... 38
5.1 Introduction ............................................................................................... 38
5.2 CSRF Attack Simulation ............................................................................ 38
5.2.1 Attack on HTTP GET Method ............................................................. 39
5.2.2 Attack on HTTP POST Method........................................................... 39
5.2.3 Attack on HTTP Referrer .................................................................... 41
5.2.4 Attack on CAPTCHA .......................................................................... 42
5.2.5 Attack on Secret Token ...................................................................... 43
5.3 Root Cause Analysis Model ...................................................................... 44
5.4 Anti CSRF Implementation in Malaysia ..................................................... 49
5.5 Performance Evaluation ............................................................................ 50
5.6 Other Usage of Secret Token and CAPTCHA ........................................... 51
5.7 Limitation ................................................................................................... 53
5.8 Summary ................................................................................................... 53
6.0 CONCLUSION AND FUTURE WORKS ........................................................ 54
6.1 Conclusion ................................................................................................ 54
6.2 Future Works ............................................................................................. 54
REFERENCES ........................................................................................................ 56
ATTACHMENT A .................................................................................................... 58
ATTACHMENT B .................................................................................................... 77
© CO
PYRI
GHT U
PM
x
LIST OF TABLES
Table 4.1: Logical operators in CPN Tools 31
Table 4.2: Parameters for model 36
Table 4.3: Software list 37
Table 4.4: Hardware list 37
Table 5.1: Protection using HTTP Referrer 41
Table 5.2: HTTP Referrer manipulation using cURL 41
Table 5.3: Web server log 42
Table 5.4: Anti CSRF implementation in Malaysia 50
Table 5.5: Performance evaluation 50
© CO
PYRI
GHT U
PM
xi
LIST OF FIGURES
Figure 2.1: Phases in incident management process 6
Figure 2.2: OWASP Top 10 10
Figure 2.3: CSRF attack flow 15
Figure 2.4: CPN simulation toolbar 18
Figure 3.1: Research methodology 22
Figure 3.2: CAPTCHA example 28
Figure 4.1: Global variables for proposed model 31
Figure 4.2: Source of attacks 32
Figure 4.3: Applied countermeasures 32
Figure 4.4: Inference component 33
Figure 4.5: Preliminary root cause analysis model 34
Figure 4.6: Network topologies 35
Figure 5.1: Attack on HTTP GET method 39
Figure 5.2: Attack on HTTP POST method 40
Figure 5.3: Attack on CAPTCHA 43
Figure 5.4: Attack on secret token 44
Figure 5.5: Simplified attacker component 45
Figure 5.6: Simplified countermeasure component 46
Figure 5.7 (a): Initial state of the model 47
Figure 5.7 (b): Transition state of model 48
Figure 5.7 (c): Final state of the model 49
© CO
PYRI
GHT U
PM
xii
LIST OF ABBREVIATIONS
CAPTCHA Completely Automated Public Turing test to tell Computers and
Humans Apart
CERT Computer Emergency Response Team
CPN Colored Petri Nets
CSRF Cross Site Request Forgery
CVSS Common Vulnerability Scoring System
DFRWS Digital Forensic Research Conference
DVWA Damn Vulnerable Web Application
FSKTM Faculty of Computer Science and Information Technology,
Universiti Putra Malaysia
HTML Hypertext Markup Language
HTTP Hypertext Transfer Protocol
ICT Information and Communication Technology
IEC International Electrotechnical Commission
IP Internet Protocol
ISO International Organization of Standardization
LDAP Lightweight Directory Access Protocol
OS Operating System
OWASP Open Web Application Security Project
PHP Hypertext Preprocessor
SQL Structured Query Language
URL Uniform Resource Locator
XSS Cross Site Scripting
© CO
PYRI
GHT U
PM
1
CHAPTER 1
INTRODUCTION
1.1 Background
This chapter discusses about the background of the research area problem
statement, research objectives, scope of the study and thesis organization.
CSRF is a website vulnerability which is less known to website developers so
it is exist in many websites (Siddiqui, 2011). Many of the web application
developers are not aware of the vulnerability. A successful exploit of the
vulnerability will impact the integrity and non-repudiation of the company, thus
might deter their clients as they have loss of reputation and confidence on
their company’s services. Therefore, a root cause analysis model for CSRF
attack will help to guide the web developers and security auditors to
implement the right countermeasures on their web application to reduce the
risk of CSRF attacks in the future.
1.2 Problem Statement
Based on OWASP report (OWASP, 2013), Cross Site Request Forgery
(CSRF) is one of the commonly found vulnerabilities in a web applications.
Detection of CSRF attack is currently difficult to do since each web application
© CO
PYRI
GHT U
PM
2
behaves differently upon receiving requests from users. Automated detection
techniques such as ModSecurity on Apache web server and scoring system
used in CVSS are not be able to provide satisfactory level of accuracy
(Hannes, 2015). CSRF attack can be easily launch by clicking a link in an
email that contains a specially encoded link or a link that redirects a user to a
vulnerable web site, which then executes the CSRF attack. Even though there
are several researchers that suggest countermeasures for CSRF vulnerability,
the existence of post-incident root cause analysis model has not been paid
much attention (Tondel, 2014).
The previous model developed by Philippe (2011) focused on developing
client-side protection against CSRF attacks. Even though the solution able to
provide protection against CSRF attack to the user, it would not be able to
protect all users since the user need to install the developed add-on package
for the Firefox browser on the client-side. Furthermore, the add-on might not
compatible with the latest version of the web browser.
The proposed model in the research focused on the server-side solutions, so
that it can be benefited by all users and not limited by the additional protection
for CSRF installed on their machine.
1.3 Research Objective
Drupsteen (2014) has identified that the intrusions of web application are due
to the related person are not able to learn from the incident occurs. There are
© CO
PYRI
GHT U
PM
3
cases on intrusion of web applications by exploiting the same vulnerability that
was not properly addressed during the post-incident phase of incident
management.
The objective of this study is to propose a post-incident root cause analysis
model for CSRF attack based on DFRWS investigative framework in finding
the optimal countermeasures by focusing on the server-side solution.
1.4 Research Scope
This project focuses on developing a post-incident root cause analysis model
for CSRF attack using Colored Petri Nets. The model would be able to
determine the root cause of a CSRF intrusion and suggests countermeasures
that can be implemented on the server-side that should be done by the web
developers to reduce the risk of incident in the future.
1.5 Thesis Organization
This chapter discussed on the motivation of this study, problem statement,
research objective and research scope. This thesis is organized into six
chapters.
Chapter 2 explains the literature review and related works regarding ICT
security incident management, Cross-Site Request Forgery, Post-Incident
Root Cause Analysis and Colored Petri Nets.
© CO
PYRI
GHT U
PM
4
Based on the information grasp in literature review, the research methodology
was proposed and discussed in Chapter 3.
Chapter 4 discusses on the requirements for the implementation and
simulation of the study. In this chapter, research parameters, topology,
simulation and performance metric were discussed. Hardware and software
requirements were also discussed to ensure there are no interruptions during
the study.
Result and findings of the research were recorded and discussed in Chapter
5. Each of the findings has been analyses and discussed accordingly. The
result of the study was compared with the previous researcher for
performance analysis.
Finally, the conclusion of the thesis and proposed future work of this thesis
was tabled in Chapter 6.
© CO
PYRI
GHT U
PM
56
REFERENCES
Adam, B., Collin, J., John C. M. (2008). Robust defenses for cross-site request forgery. Proceedings of the 15th ACM conference on Computer and communications security, pp. 75-88.
Alexenko, T., Jenne, M., Roy, S. D., Zeng, W. (2010). Cross-Site Request Forgery: Attack and Defense. 7th IEEE Consumer Communications and Networking Conference (CCNC), pp. 1 – 2.
Blatz, J. (2008). CSRF: Attack and Defense. McAfee White Paper. http://www.mcafee.com/us/resources/white-papers/wp-csrf-attack-defense.pdf
Drupsteen, L., Hasle, P. (2014). Why do organizations not learn from incidents? Bottlenecks, causes and conditions for a failure to effectively learn. Accident Analysis & Prevention, vol. 72, pp. 351–358.
Hannes, H., Afridi, K. K. (2015). An expert-based investigation of the Common Vulnerability Scoring System. Computers & Security, vol. 53, pp. 18-30.
Kurt, J., Lars, M. K., Lisa, W. (2007). Coloured Petri Nets and CPN Tools for modelling and validation of concurrent systems. International Journal on Software Tools for Technology Transfer,vol. 9, issue 3-4, pp. 213-254.
OWASP Foundation. OWASP Top 10 – 2013. http://owasptop10.googlecode.com/files/OWASP Top 10 - 2013.pdf
Philippe, D. R., et al. (2011). Automatic and Precise Client-Side Protection against CSRF Attacks. Lecture Notes in Computer Science, vol. 6879, pp. 100-116.
Purnima, K., Purnima, B. (2014). Vulnerabilities and Defensive Mechanism of CSRF. International Journal of Computer Trends and Technology (IJCTT), 4, vol. 13, pp. 171 – 174.
Sentamilselvan, K., Lakshmana, P. S., Ramkumar, N. (2014). Cross Site Request Forgery: Preventive Measures. International Journal of Computer Applications (0975 – 8887), vol. 106, no.11.
Siddiqui, M. S., Verma, D. (2011). Cross Site Request Forgery: A common web application weakness. IEEE 3rd International Conference on Communication Software and Networks (ICCSN), pp. 538 – 543.
Stephenson, P. (2004). The Application of Formal Methods to Root Cause Analysis of Digital Incidents. International Journal of Digital Evidence, vol. 3, issue 1.
© CO
PYRI
GHT U
PM
57
Stephenson, P. (2003). Modelling of Post-Incident Root Cause Analysis. International Journal of Digital Evidence, vol. 2, issue 2.
Tondel, I. A., Line, M. B., Jaatun, M. G. (2014). Information security incident management: Current practice as reported in the literature. Computers & Security, 45, pp. 42–57.
Zeller, W., Felten, E. W. (2008). Cross-Site Request Forgeries: Exploitation and Prevention. Technical Report, Princeton University.
MODELING OF POST-INCIDENT ROOT CAUSE ANALYSIS FORCROSS SITE REQUEST FORGERY (CSRF) ATTACKABSTRACTTABLE OF CONTENTSCHAPTERREFERENCES