OWASP CSRF Protector
Transcript of OWASP CSRF Protector
Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
The OWASP Foundation
OWASP
http://www.owasp.org
OWASP CSRF Protector
Minhaz
3rd year, Computer Engineering
Delhi Technological University
OWASP
What all I’ll cover?
Very brief introduction of CSRF
Introduction: CSRF Protector Project
Software Design
Brief introduction on implementation & final products
Salient Features
Roadmaps & Plans
Feedbacks & Questions
2
OWASP 3
So what’s CSRF? SKIP
OWASP 4
Nice Server
http://www.bestbank.com
Admin
********
BestBank Login Page
Login
Forgot Password?
Protected by 128 bit encryption
…..Request URL: http://www.bestbank.com/…..…..Form Data: username=Admin&password=Password…..
Cache-Control:no-store, no-cache, must-revalidate, post-check=0, pre-check=0Connection:Keep-Alive
…Set-Cookie:SESSID=hhiksdh234; expires=Wed, 10-Sep-2014 20:32:50 GMT
Cross Site Request Forgery
OWASP
Nice Server
http://www.bestbank.com
Welcome AdminMoney TransferBestBank.com
OWASP
Nice Server
http://www.bestbank.com/moneytransfer.php
Welcome AdminBestBank Money Transfer
10002
Transfer
Receiver's Account No
Request URL: http://www.bestbank.com/secure/transfer.php……Form Data: accountno=10002&amount=100000…..Content-Length:49Content-Type:application/x-www-form-urlencoded
Cookie:SESSID=hhiksdh23
1,00,000Amount
OWASP
Evil Server
http://www.evil.com
Evil Contents are always nice!!
Request URL: http://www.bestbank.com/secure/transfer.php……Form Data: accountno=1337&amount=100000…..Content-Length:49Content-Type:application/x-www-form-urlencoded
Cookie:SESSID=hhiksdh23
OWASP
Nice Server
http://www.bestbank.com/summary/
Welcome AdminBestBank Transactions
Sl No Account No Amount Date Balance
1 10002 INR 100000 10.09.14 INR 1500000
2 1337 INR 100000 11.09.14 INR 1400000
OWASP
Other possibilities:
If there is CSRF vulnerability in admin panel of a website, whole website can be compromised!
Hijacking primary DNS server setting of your router! -> phishing, mitm etc.!
…Add more!
Want to see it work? Visit superlogout.com
Read More at OWASP CSRF Cheat Sheets, Just Google it! 9
OWASP
CSRF Protector Project
Project Leader
Abbas Naderi
Primary Contributor
that’s me!
Project Mentors
Kevin W. Wall & Jim Manico
Other Contributors
Abhinav Dahiya
10
OWASP
CSRF Protector Project
11
A new anti-CSRF method to protect web applications! It has two parts for now:
A standalone php
library
An Apache 2.x.x
module
OWASP
OWASP
……
web application logic…
Server Side Interceptor / Input Filter
Output Filter
Request from client
Response to client
OWASP
Has token in cookie
(C)
Has token in request
(T)
C == T
Allow the request, Generate another Pseudo Random
token & send it back to client!
Take Action as per configuration:
• Send back a 403• Send back a 404• Show a custom error message• Redirect user to a custom URL• Strip all request arguments
and allow the request
Yes
Yes
Yes
No
No No
BACKServer Side Interceptor / Input Filter
OWASP
Output Filter
• Works on Regular Expression based matching!
• It injects a JavaScript code just after the closing </body> tag when there is an
HTML output.
• Our Normal versions also injects a <noscript> tag and a message inside it,
asking user to enable JavaScript if not already done! We also have a version that
works without JavaScript in case of php library
OWASP
The JavaScript's job
It does the primary job!
The JavaScript code running on client’s machine ensure that, for each request that needs CSRF validation a token is attached to it at the point of dispatch!
So, tokens are attached with every POST request and certain GET requests (allowed by rules in configuration) originating from the browser! Something which attacker cannot craft!
16
OWASP
OWASP
Correctness of the design
Scripts running on attacker’s website cannot retrieve token from other websites, because of Same Origin Policy of browsers!
Attacker cannot use his token to authenticate requests in other websites.
Attacker cannot guess tokens based on ones he has as each time a new pseudo random token is generated for each request (& each user). And PRNG in reseeded after every 10000 requests!
18
OWASP
OWASP 20
Standalone library for CSRF Mitigation in php based
applications. Can be easily integrated with existing web
applications or can be used while developing new ones.
Features:
1. Highly customisable!
2. Supports POST / GET requests!
3. Easy to alter according to your needs!
4. Works well with all php versions > 5.0
OWASP
• It can be easily installed on apache 2.2 servers! Its
distributed as a shared object file!
• Easy to configure, by modifying fields in httpd.conf
file (Apache’s configuration file)
• Developer doesn’t need to make any changes to its
web applications, so even server administrator can
implement this in their servers.
• Has currently been tested with Linux (Ubuntu) and
OS X only!
OWASP 22
OWASP 23
Easy to work with or Integrate 1
OWASP 24
Supports AJAX & dynamic forms 2
• We also have custom wrappers in JS that ensures that our injected token
doesn’t creates any conflict when developer designed logic for form validation
functions!
• We support the old attachEvent() & ActiveObject() methods that exist in IE (
<= 6.0)
OWASP 25
Supports GET requests! 3
We use these type of regex rules to match urls at time of validation & pass it on to
JavaScript code so that it knows what all requests to attach tokens with!
Its stored in configuration!
OWASP
A better option for apps that support plugins
4
For example wordpress!
OWASP
Roadmaps?
Apache 2.2 module that works with windows system!
Automated testing (Continuous Integration) for Apache module!
Support for legitimate cross-domain requests!
27
OWASP
https://owasp.org/index.php/CSRFProtector_Project