CSRF, ClickJacking & Open Redirect

CSRF
(Cross
Site
Request
Forgery)

ClickJacking
&
Open
Redirects

Cross
Site
Request
Forgery
(CSRF)

•  Generic
CSRF
is
with
GET
/
POST

•  Forcefully
sending
request
to
the
target
applicaEon

with
cookie
replay

•  Leveraging
tags
like

–  IMG
–  SCRIPT
–  IFRAME
•  Not
abide
by
SOP
or
Cross
Domain
is
possible

Request
generaEon

IMG
SRC

<img
src="hOp://host/?command">

SCRIPT
SRC

<script

IFRAME
SRC

<iframe

Request
generaEon

'Image'
Object

<script>

var
foo
=
new
Image();

foo.src
=
"hOp://host/?command";

</script>

XHR
–
Cross
domain
diﬃcult

Request
generaEon

•  It
is
possible
to
generate
POST
as
well

•  Form
can
be
build
dynamically
and
buOon

click
from
JavaScript
is
possible

<script
type="text/javascript"

language="JavaScript">

document.foo.submit();

</script>

Cross
Site
Request
Forgery
(CSRF)

•  What
is
diﬀerent
with
Web
2.0

– Is it possible to do CSRF to XML stream
– How?
– It will be POST hitting the XML processing
resources like Web Services
– JSON CSRF is also possible
– Interesting check to make against application
and Web 2.0 resources

One
Way
CSRF
Scenario

One-‐Way
CSRF

•  <html>

•  <body>

•  <FORM
NAME="buy"
ENCTYPE="text/plain"
acEon="hOp://
trade.example.com/xmlrpc/trade.rem"
METHOD="POST">

• 

<input
type="hidden"
name='<?xml
version'
value='"1.0"?
><methodCall><methodName>stocks.buy</
methodName><params><param><value><string>MSFT</string></
value></param><param><value><double>26</double></value></
param></params></methodCall>'>

•  </FORM>

•  <script>document.buy.submit();</script>

•  </body>

•  </html>

Forcing
XML

•  Spligng
XML
stream
in
the
form.

•  Possible
through
XForms
as
well.

•  Similar
techniques
is
applicable
to
JSON
as

well.

Two-‐Way
CSRF

•  One-‐Way
–
Just
making
forceful
request.

•  Two-‐Way

– Reading the data coming from the target
– May be getting hold onto important
information – profile, statements, numbers
etc.
– Is it possible with JSON/XML

Two-‐Way
CSRF

•  ApplicaEon
is
serving
various
streams
like
–

JSON,
JS-‐Object,
Array
etc.

Two-‐Way
CSRF

•  AOacker
page
can
make
cross
domain
request

using
SCRIPT
(ﬁrefox)

•  Following
code
can
overload
the
array
stream.

funcEon
Array()

{
var
obj
=
this;
var
index
=
0;
for(j=0;j<4;j++){
obj[index++]

seOer
=
spoof;
}
}
funcEon
spoof(x){
send(x.toString());
}

Two-‐Way
CSRF

•  It
is
possible
to
overload
these
objects.

•  Reading
and
sending
to
cross
domain
possible.

•  Opens
up
two
way
channel
for
an
aOacker.

•  Web
2.0
streams
are
vulnerable
to
these

aOacks.

Countermeasure

•  Server
Side
Checks

–  Check for client’s content-type.
–  XHR calls – xml/application.
–  Native calls – text/html.
–  Filtering is possible on it.
•  Client
Side
Checks

–  Stream can be started and terminated by /* or any
predefined characters.
–  Client can remove them before injecting to DOM.

DescripEon

• Clickjacking
is
a
popular
name
for
an
old
aOack

method
called
“UI
redressing”

• Though
a
case
of
“old
wine
in
a
new
boOle”,

given
the
current
development
in
Web

standards
(Web
2.0,
AJAX,
etc),
one
cannot

ignore
the
risks
posed
by
this
vulnerability

• The
basic
philosophy
of
this
aOack
is
to
fool

the
user
into
clicking
a
malicious
link

DescripEon

•  Clickjacking
involves
“hijacking”
the
user's

mouse
clicks

•  This
means,
the
user
thinks
(s)he's
clicking

on
something,
but
is
actually
not

•  The
user,
invariably
and
unknowingly

authorizes
certain
acEons
which
could
have

disasterous
consequences
or
could
be
as

harmless
as
being
redirected
to
a
games
site

AOack
Anatomy

•  There
are
3
popular
ways
in
which
aOackers

perpetrate
this
vulnerability

–  Using invisible elements such as iframes
–  Injecting malicious javascript (or any
other client side scripting language)
–  Leveraging a bug in Adobe Flash Player
(this method is now obsolete)

AOack
Anatomy

•  An
aOacker
uses
the
concept
of
layering
to

crat
an
aOack

•  Basically,
the
page
that
the
user
views,
will

have
layers

•  Some
of
these
layers
will
be
transparent
(or

invisible)

•  The
user
will
never
know
of
the
invisible

layers
and
will
end
up
making
a
wrong

choice

AOack
Anatomy

•  Lets
ﬁrst
understand
this
basic
mechanism

with
an
example
and
then
move
on
to
the

diﬀerent
ways
of
perpetraEng
this
aOack
....

AOack
Anatomy

Send email to all users ?
Yes No
Actual intented content ....

AOack
Anatomy

Yes No
Do you want a free iPad?
No
Intended content .... Malicious content for clickjacking

AOack
Anatomy

Yes No
Do you want a free iPad?
No
When the two are super imposed …
(“Send email to all users?” Will not be visible, it is
shown here for clarity)

Unvalidated
Redirects
&

Forwards

DescripEon

•  Web
applicaEons
are
having
its
own
“ﬂow”

•  Business
ﬂow
needs
movement
between

pages
and
sites

•  ApplicaEon
uses
same
domain
or
cross

domain
redirects
and
forwards

•  It
allows
applicaEons
to
work
easily
and
access

same
domain
or
cross
domain
resources

(Single
Sign
On
–
leveraging)

DescripEon

•  HTTP
requests
can
be
GET
or
POST

•  Parameters
are
not
validated
and
can
lead
to

arbitrary
redirects

•  This
can
be
leveraged
at
ease
and
get

exploited
by
an
aOacker

•  AOacker
exploits
the
trust
and
leverage
the

vulnerability

AOack
Anatomy

•  As
a
part
of
root
cause,
there
must
be
a

redirect
hole

•  Example,

– http://foo.bank.com/login.aspx?
user=xxx&page=trade.aspx
•  Here
“page”
is
a
vulnerable
parameter

•  What
if?
Some
one
put
page=hOp://
yahoo.com
…

AOack
Anatomy

Attacker
foo.bank.com
http://foo.bank.com/login.aspx?user=xxx&
page=http://yahoo.com
Get redirect or JavaScript call
for loading yahoo.com
Vulnerability detected!!!

AOack
Anatomy

•  What
is
redirect…

– If server sends 302 in its HTTP response
– If server sends JavaScript with certain
document object calls like “location”
•  What
will
happen…

– It will send browser to new location
– User will stay in impression that he/she is at
trusted site but that is not the case

AOack
Anatomy

Bank’s user
foo.bank.com
Login the page
Login successful
This is what in user’s mind…
a.) URL – trusted, foo.bank.com
b.) Login form - trusted

AOack
Anatomy

•  User
is
doing
all
his
acEviEes

•  Full
trust
is
established
and
day
to
day
work
is

going
on

•  Now
aOacker’s
acEon
comes
in
…

•  AOacker
sends
a
mail
and
request
to
login
and

change
password
immediately
as
part
of

banking
policies

• 
AOacker
acts
as
administrator
from
bank

AOack
Anatomy

•  Magic
is
in
the
link
and
trust
is
in
the
mind.

•  User
trust
the
URL
and
Link
both
consciously

and
subconsciously…

•  Following
link
will
be
sent.

http://foo.bank.com/login.aspx?user=xxx&date=12-12-2009&trust=good&
page=http://203.88.xx.xx/security.html
Link is injected
User is going to trust this

AOack
Anatomy

Click the link
Get a redirect response
to 203.88.XX.XX
1Link in mail

AOack
Anatomy

Bank’s user
foo.bank.com
Click the link
to 203.88.XX.XX
203.88.XX.XX
(Attacker’s area)
Bank’s user
Send dummy form
Trusted evil redirect
2

AOack
Anatomy

Bank’s user
foo.bank.com
Click the link
to 203.88.XX.XX
203.88.XX.XX
(Attacker’s area)
Bank’s user
Send dummy form
Bank’s user
Send username and password
Send dummy response (Thanks!)
203.88.XX.XX
(Attacker’s area)
3

AOack
Anatomy

Bank’s user
foo.bank.com
Click the link
to 203.88.XX.XX
203.88.XX.XX
(Attacker’s area)
Bank’s user
Send dummy form
Bank’s user
Send username and password
Send dummy response (Thanks!)
203.88.XX.XX
(Attacker’s area)
Logs in and
do money
transfer
4

CSRF, ClickJacking & Open Redirect

More Related Content

What's hot (20)

Similar to CSRF, ClickJacking & Open Redirect (20)

More from Blueinfy Solutions (20)

Recently uploaded (20)

CSRF, ClickJacking & Open Redirect