this preso covers CSRF, ClickJacking and Open Redirect.

1. CSRF
(Cross
Site
Request
Forgery)
ClickJacking
&
Open
Redirects

2. Cross
Site
Request
Forgery
(CSRF)
• Generic
CSRF
is
with
GET
/
POST
• Forcefully
sending
request
to
the
target
applicaEon
with
cookie
replay
• Leveraging
tags
like
– IMG
– SCRIPT
– IFRAME
• Not
abide
by
SOP
or
Cross
Domain
is
possible

3. Request
generaEon
IMG
SRC
<img
src="hOp://host/?command">
SCRIPT
SRC
<script
src="hOp://host/?command">
IFRAME
SRC
<iframe
src="hOp://host/?command">

4. Request
generaEon
'Image'
Object
<script>
var
foo
=
new
Image();
foo.src
=
"hOp://host/?command";
</script>
XHR
–
Cross
domain
difficult

5. Request
generaEon
• It
is
possible
to
generate
POST
as
well
• Form
can
be
build
dynamically
and
buOon
click
from
JavaScript
is
possible
<script
type="text/javascript"
language="JavaScript">
document.foo.submit();
</script>

6. Cross
Site
Request
Forgery
(CSRF)
• What
is
different
with
Web
2.0
– Is it possible to do CSRF to XML stream
– How?
– It will be POST hitting the XML processing
resources like Web Services
– JSON CSRF is also possible
– Interesting check to make against application
and Web 2.0 resources

7. One
Way
CSRF
Scenario

8. One
Way
CSRF
Scenario

9. One
Way
CSRF
Scenario

10. One
Way
CSRF
Scenario

11. One-­‐Way
CSRF

12. One-­‐Way
CSRF
• <html>
• <body>
• <FORM
NAME="buy"
ENCTYPE="text/plain"
acEon="hOp://
trade.example.com/xmlrpc/trade.rem"
METHOD="POST">
•
<input
type="hidden"
name='<?xml
version'
value='"1.0"?
><methodCall><methodName>stocks.buy</
methodName><params><param><value><string>MSFT</string></
value></param><param><value><double>26</double></value></
param></params></methodCall>'>
• </FORM>
• <script>document.buy.submit();</script>
• </body>
• </html>

13. Forcing
XML
• Spligng
XML
stream
in
the
form.
• Possible
through
XForms
as
well.
• Similar
techniques
is
applicable
to
JSON
as
well.

14. Two-­‐Way
CSRF
• One-­‐Way
–
Just
making
forceful
request.
• Two-­‐Way
– Reading the data coming from the target
– May be getting hold onto important
information – profile, statements, numbers
etc.
– Is it possible with JSON/XML

15. Two-­‐Way
CSRF

16. Two-­‐Way
CSRF
• ApplicaEon
is
serving
various
streams
like
–
JSON,
JS-­‐Object,
Array
etc.

17. Two-­‐Way
CSRF

18. Two-­‐Way
CSRF
• AOacker
page
can
make
cross
domain
request
using
SCRIPT
(firefox)
• Following
code
can
overload
the
array
stream.
funcEon
Array()
{
var
obj
=
this;
var
index
=
0;
for(j=0;j<4;j++){
obj[index++]
seOer
=
spoof;
}
}
funcEon
spoof(x){
send(x.toString());
}

19. Two-­‐Way
CSRF

20. Two-­‐Way
CSRF
• It
is
possible
to
overload
these
objects.
• Reading
and
sending
to
cross
domain
possible.
• Opens
up
two
way
channel
for
an
aOacker.
• Web
2.0
streams
are
vulnerable
to
these
aOacks.

21. Countermeasure
• Server
Side
Checks
– Check for client’s content-type.
– XHR calls – xml/application.
– Native calls – text/html.
– Filtering is possible on it.
• Client
Side
Checks
– Stream can be started and terminated by /* or any
predefined characters.
– Client can remove them before injecting to DOM.

22. Clickjacking

23. DescripEon
• Clickjacking
is
a
popular
name
for
an
old
aOack
method
called
“UI
redressing”
• Though
a
case
of
“old
wine
in
a
new
boOle”,
given
the
current
development
in
Web
standards
(Web
2.0,
AJAX,
etc),
one
cannot
ignore
the
risks
posed
by
this
vulnerability
• The
basic
philosophy
of
this
aOack
is
to
fool
the
user
into
clicking
a
malicious
link

24. DescripEon
• Clickjacking
involves
“hijacking”
the
user's
mouse
clicks
• This
means,
the
user
thinks
(s)he's
clicking
on
something,
but
is
actually
not
• The
user,
invariably
and
unknowingly
authorizes
certain
acEons
which
could
have
disasterous
consequences
or
could
be
as
harmless
as
being
redirected
to
a
games
site

25. AOack
Anatomy
• There
are
3
popular
ways
in
which
aOackers
perpetrate
this
vulnerability
– Using invisible elements such as iframes
– Injecting malicious javascript (or any
other client side scripting language)
– Leveraging a bug in Adobe Flash Player
(this method is now obsolete)

26. AOack
Anatomy
• An
aOacker
uses
the
concept
of
layering
to
crat
an
aOack
• Basically,
the
page
that
the
user
views,
will
have
layers
• Some
of
these
layers
will
be
transparent
(or
invisible)
• The
user
will
never
know
of
the
invisible
layers
and
will
end
up
making
a
wrong
choice

27. AOack
Anatomy
• Lets
first
understand
this
basic
mechanism
with
an
example
and
then
move
on
to
the
different
ways
of
perpetraEng
this
aOack
....

28. AOack
Anatomy
Send email to all users ?
Yes No
Actual intented content ....

29. AOack
Anatomy
Send email to all users ?
Yes No
Do you want a free iPad?
No
Intended content .... Malicious content for clickjacking

30. AOack
Anatomy
Send email to all users ?
Yes No
Do you want a free iPad?
No
When the two are super imposed …
(“Send email to all users?” Will not be visible, it is
shown here for clarity)

31. Unvalidated
Redirects
&
Forwards

32. DescripEon
• Web
applicaEons
are
having
its
own
“flow”
• Business
flow
needs
movement
between
pages
and
sites
• ApplicaEon
uses
same
domain
or
cross
domain
redirects
and
forwards
• It
allows
applicaEons
to
work
easily
and
access
same
domain
or
cross
domain
resources
(Single
Sign
On
–
leveraging)

33. DescripEon
• HTTP
requests
can
be
GET
or
POST
• Parameters
are
not
validated
and
can
lead
to
arbitrary
redirects
• This
can
be
leveraged
at
ease
and
get
exploited
by
an
aOacker
• AOacker
exploits
the
trust
and
leverage
the
vulnerability

34. AOack
Anatomy
• As
a
part
of
root
cause,
there
must
be
a
redirect
hole
• Example,
– http://foo.bank.com/login.aspx?
user=xxx&page=trade.aspx
• Here
“page”
is
a
vulnerable
parameter
• What
if?
Some
one
put
page=hOp://
yahoo.com
…

35. AOack
Anatomy
Attacker
foo.bank.com
http://foo.bank.com/login.aspx?user=xxx&
page=http://yahoo.com
Get redirect or JavaScript call
for loading yahoo.com
Vulnerability detected!!!

36. AOack
Anatomy
• What
is
redirect…
– If server sends 302 in its HTTP response
– If server sends JavaScript with certain
document object calls like “location”
• What
will
happen…
– It will send browser to new location
– User will stay in impression that he/she is at
trusted site but that is not the case

37. AOack
Anatomy
Bank’s user
foo.bank.com
Login the page
Login successful
This is what in user’s mind…
a.) URL – trusted, foo.bank.com
b.) Login form - trusted

38. AOack
Anatomy
• User
is
doing
all
his
acEviEes
• Full
trust
is
established
and
day
to
day
work
is
going
on
• Now
aOacker’s
acEon
comes
in
…
• AOacker
sends
a
mail
and
request
to
login
and
change
password
immediately
as
part
of
banking
policies
•
AOacker
acts
as
administrator
from
bank

39. AOack
Anatomy
• Magic
is
in
the
link
and
trust
is
in
the
mind.
• User
trust
the
URL
and
Link
both
consciously
and
subconsciously…
• Following
link
will
be
sent.
http://foo.bank.com/login.aspx?user=xxx&date=12-12-2009&trust=good&
page=http://203.88.xx.xx/security.html
Link is injected
User is going to trust this

40. AOack
Anatomy
Click the link
Get a redirect response
to 203.88.XX.XX
1Link in mail

41. AOack
Anatomy
Bank’s user
foo.bank.com
Click the link
Get a redirect response
to 203.88.XX.XX
203.88.XX.XX
(Attacker’s area)
Bank’s user
Send dummy form
Trusted evil redirect
2

42. AOack
Anatomy
Bank’s user
foo.bank.com
Click the link
Get a redirect response
to 203.88.XX.XX
203.88.XX.XX
(Attacker’s area)
Bank’s user
Send dummy form
Bank’s user
Send username and password
Send dummy response (Thanks!)
Trusted evil redirect
203.88.XX.XX
(Attacker’s area)
3

43. AOack
Anatomy
Bank’s user
foo.bank.com
Click the link
Get a redirect response
to 203.88.XX.XX
203.88.XX.XX
(Attacker’s area)
Bank’s user
Send dummy form
Bank’s user
Send username and password
Send dummy response (Thanks!)
Trusted evil redirect
203.88.XX.XX
(Attacker’s area)
Logs in and
do money
transfer
4

44. Conclusion