Stateless Anti-Csrf

•Transferir como KEY, PDF•

1 gostou•3,158 visualizações

johnwilander

Tecnologia

Stateless is Good

• Don't need to synchronize between
servers

• No bloated session objects on
servers

• REST

REST Constraint
Stateless
The client–server communication is further
constrained by no client context being stored
on the server between requests. Each request
from any client contains all of the information
necessary to service the request, and any
session state is held in the client.

Stateless
Double Submit
(CSRF Protection)

Double Submit
(CSRF protection)

Anti-CSRF value
as cookie ...

... and
request parameter

Double Submit
(CSRF protection)

cookie ≠
request parameter

Cannot read the
anti-CSRF cookie to
include it as parameter

Double Submit
(CSRF protection)

Anti-CSRF cookie can
be generated client-side
=> no server-side state

Are We Fully
Protected Now?
Of course not

The Other
Subdomain
https://securish.1-liner.org https://other.1-liner.org

Search

Buy!

The Other
Subdomain
https://securish.1-liner.org https://other.1-liner.org

<script>alert('XSS')</script> Search

XSS
OK

Buy!

The Other
Subdomain
https://securish.1-liner.org https://other.1-liner.org

<script> Search
$.cookie(
"doubleSubmitToken",
"knownValue",
{ path: "/",
domain: ".1-liner.org" });
</script>
Buy!

I proposed some sort of
Triple Submit
CSRF Protection

Triple Submit
(CSRF protection)

Initial request of
rich internet app

Triple Submit
(CSRF protection)

Random HttpOnly cookie

Cookie value as
JavaScript variable

Triple Submit
(CSRF protection)

Random HttpOnly cookie

Cookie value as
request parameter

Stateful:
Cookie name saved in server session
Stateless:
Server only accepts one such cookie (checks format)

The 3rd Submit
• The server sets an HttpOnly cookie
with a random name and random
value

• The server tells the client the value
of the random cookie, not the name

• The client submits the value of the
cookie as a request parameter

The 3rd Submit
• The server sets an httpOnly cookie
response.addHeader("Set-Cookie",
randomName a random randomValue + ";
with + "=" + name and random
value
HttpOnly; path='/'; domain=.1-liner.org");

• The server tells the client the value
of the random cookie, not the name

• The client submits the value of the
cookie as a request parameter

The 3rd Submit
• The server sets an httpOnly cookie
with a random name and random
value
<script>
• The server tells the<%= randomValue %>;
var ANTI_CSRF_TRIPLE = client the value
of the random cookie, not the name
</script>
• The Client submits the name and
value of the cookie as a request
parameter

The 3rd Submit

• Cookie value as parameter
• The cookie name
• The cookie value

Yes.
When a browser reaches
its limit for cookies for a
domain
it starts to delete older
cookies, including

Credit: http://webstersprodigy.net/2012/08/03/analysis-of-john-wilanders-triple-submit-cookies/

So the attacker can delete
the HttpOnly cookie(s)
this way and then set
them to a controlled
value,
effectively overwriting

var overflowCookieJar =
function() {
var name = "marker",
val = "markerVal",
counter = 0;
// Set an initial cookie as a marker
$.cookie(name, val,
{path: "/", domain: ".1-liner.org"});
// Set new cookies until marker is gone
while($.cookie(name) == val) {
$.cookie(name + counter++, val,
{path: "/", domain: ".1-liner.org"});
}
// Return number of cookies needed
return counter;
}

Overﬂow the
Cookie Jar
• Chrome 22: 150-180 cookies
needed

• Firefox 15: 150 cookies needed
• Safari 6: ≈1000 cookies needed

The Demo System is an
OWASP Project

1-liner.org

Mais conteúdo relacionado

Mais procurados

CSRF Basicsn|u - The Open Security Community

Cross Site Request Forgery VulnerabilitiesMarco Morana

Its all about CSRF - null Mumbai Meet 10 January 2015 Null/OWASP Chapter Nilesh Sapariya

Cross Site Request ForgeryTony Bibbs

Understanding Cross-site Request ForgeryDaniel Miessler

Cross Site Scripting Going Beyond the Alert BoxAaron Weaver

Xss (cross site scripting)vinayh.vaghamshi _

A4 A K S H A Y B H A R D W A Jbhardwajakshay

Reflective and Stored XSS- Cross Site ScriptingInMobi Technology

Identifying XSS Vulnerabilitiesn|u - The Open Security Community

Introduction to CSRF Attacks & DefenseSurya Subhash

Web security: OWASP project, CSRF threat and solutionsFabio Lombardi

Cross site scriptingkinish kumar

Cross site scripting XSSRonan Dunne, CEH, SSCP

Understanding CSRFPotato

SeanRobertsThesisSean Roberts

MVC CSRF ProtectionBarry Dorrans

Xss pptchanakyac1

Hack using firefoxReza Nurfachmi

Web security landscape Unit 3 part 2SURBHI SAROHA

Mais procurados (20)

CSRF Basics

Cross Site Request Forgery Vulnerabilities

Its all about CSRF - null Mumbai Meet 10 January 2015 Null/OWASP Chapter

Cross Site Request Forgery

Understanding Cross-site Request Forgery

Cross Site Scripting Going Beyond the Alert Box

Xss (cross site scripting)

A4 A K S H A Y B H A R D W A J

Reflective and Stored XSS- Cross Site Scripting

Identifying XSS Vulnerabilities

Introduction to CSRF Attacks & Defense

Web security: OWASP project, CSRF threat and solutions

Cross site scripting

Cross site scripting XSS

Understanding CSRF

SeanRobertsThesis

MVC CSRF Protection

Xss ppt

Hack using firefox

Web security landscape Unit 3 part 2

Semelhante a Stateless Anti-Csrf

DVWA BruCON Workshoptestuser1223

The top 10 security issues in web applicationsDevnology

Evolution Of Web SecurityChris Shiflett

Cross Site Scripting - Mozilla Security Learning CenterMichael Coates

Building Secure User Interfaces With JWTsrobertjd

XSS - Attacks & DefenseBlueinfy Solutions

Modern Web Application DefenseFrank Kim

Krzysztof Kotowicz - Hacking HTML5DefconRussia

Hacking HTML5 offensive course (Zeronights edition)Krzysztof Kotowicz

Secure java script-for-developersn|u - The Open Security Community

Building Secure User Interfaces With JWTs (JSON Web Tokens)Stormpath

OWASP Serbia - A5 cross-site request forgeryNikola Milosevic

W3 conf hill-html5-security-realitiesBrad Hill

Application Security around OWASP Top 10Sastry Tumuluri

Message in a BottleZohar Arad

04. xss and encodingEoin Keary

Complete xss walkthroughAhmed Elhady Mohamed

OWASP Khartoum - Top 10 A5 - 7th meeting - Cross Site Request ForgeryOWASP Khartoum

JWT Authentication with AngularJSrobertjd

Browser Security 101 Stormpath

Semelhante a Stateless Anti-Csrf (20)

DVWA BruCON Workshop

The top 10 security issues in web applications

Evolution Of Web Security

Cross Site Scripting - Mozilla Security Learning Center

Building Secure User Interfaces With JWTs

XSS - Attacks & Defense

Modern Web Application Defense

Krzysztof Kotowicz - Hacking HTML5

Hacking HTML5 offensive course (Zeronights edition)

Secure java script-for-developers

Building Secure User Interfaces With JWTs (JSON Web Tokens)

OWASP Serbia - A5 cross-site request forgery

W3 conf hill-html5-security-realities

Application Security around OWASP Top 10

Message in a Bottle

04. xss and encoding

Complete xss walkthrough

OWASP Khartoum - Top 10 A5 - 7th meeting - Cross Site Request Forgery

JWT Authentication with AngularJS

Browser Security 101

Mais de johnwilander

JavaScript Beyond jQuery (Jfokus 2013)johnwilander

Tre sårbarheter i webbapparjohnwilander

Web Integration Patterns in the Era of HTML5johnwilander

Hotlinking is Too Hot for Comfortjohnwilander

Advanced CSRF and Stateless Anti-CSRFjohnwilander

Application Security for Rich Internet Applicationss (Jfokus 2012)johnwilander

JavaScript för Javautvecklarejohnwilander

Application Security, in Six Parts (HackPra 2012)johnwilander

RIPE: Runtime Intrusion Prevention Evaluatorjohnwilander

Application Security for RIAsjohnwilander

Mais de johnwilander (10)

JavaScript Beyond jQuery (Jfokus 2013)

Tre sårbarheter i webbappar

Web Integration Patterns in the Era of HTML5

Hotlinking is Too Hot for Comfort

Advanced CSRF and Stateless Anti-CSRF

Application Security for Rich Internet Applicationss (Jfokus 2012)

JavaScript för Javautvecklare

Application Security, in Six Parts (HackPra 2012)

RIPE: Runtime Intrusion Prevention Evaluator

Application Security for RIAs

Último

The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los

How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes

Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1

How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo

08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls

Artificial Intelligence: Facts and MythsJoaquim Jorge

A Domino Admins Adventures (Engage 2024)Gabriella Davis

EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science

TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc

Tech Trends Report 2024 Future Today Institute.pdfhans926745

Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services

Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93

GenCyber Cyber Security Day PresentationMichael W. Hawkins

08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls

Evaluating the top large language models.pdfChristopherTHyatt

Automating Google Workspace (GWS) & more with Apps Scriptwesley chun

Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge

Partners Life - Insurer Innovation Award 2024The Digital Insurer

Stateless Anti-Csrf

1. Stateless Anti-CSRF @johnwilander at Dagstuhl 2012 Germany

2. Stateless is Good • Don't need to synchronize between servers • No bloated session objects on servers • REST

3. REST Constraint Stateless The client–server communication is further constrained by no client context being stored on the server between requests. Each request from any client contains all of the information necessary to service the request, and any session state is held in the client.

4. Stateless Double Submit (CSRF Protection)

5. Double Submit (CSRF protection) Anti-CSRF value as cookie ... ... and request parameter

6. Double Submit (CSRF protection) cookie ≠ request parameter Cannot read the anti-CSRF cookie to include it as parameter

7. Double Submit (CSRF protection) Anti-CSRF cookie can be generated client-side => no server-side state

8. Demo Double Submit

9. Are We Fully Protected Now?

10. Are We Fully Protected Now? Of course not

11. The Other Subdomain https://securish.1-liner.org https://other.1-liner.org Search Buy!

12. The Other Subdomain https://securish.1-liner.org https://other.1-liner.org <script>alert('XSS')</script> Search XSS OK Buy!

13. The Other Subdomain https://securish.1-liner.org https://other.1-liner.org <script> Search $.cookie( "doubleSubmitToken", "knownValue", { path: "/", domain: ".1-liner.org" }); </script> Buy!

14. Demo Subdomain XSS Double Submit Bypass

15. I proposed some sort of Triple Submit CSRF Protection

16. Triple Submit (CSRF protection) Initial request of rich internet app

17. Triple Submit (CSRF protection) Random HttpOnly cookie Cookie value as JavaScript variable

18. Triple Submit (CSRF protection) Random HttpOnly cookie Cookie value as request parameter Stateful: Cookie name saved in server session Stateless: Server only accepts one such cookie (checks format)

19. The 3rd Submit • The server sets an HttpOnly cookie with a random name and random value • The server tells the client the value of the random cookie, not the name • The client submits the value of the cookie as a request parameter

20. The 3rd Submit • The server sets an httpOnly cookie response.addHeader("Set-Cookie", randomName a random randomValue + "; with + "=" + name and random value HttpOnly; path='/'; domain=.1-liner.org"); • The server tells the client the value of the random cookie, not the name • The client submits the value of the cookie as a request parameter

21. The 3rd Submit • The server sets an httpOnly cookie with a random name and random value <script> • The server tells the<%= randomValue %>; var ANTI_CSRF_TRIPLE = client the value of the random cookie, not the name </script> • The Client submits the name and value of the cookie as a request parameter

22. The 3rd Submit • Cookie value as parameter • The cookie name • The cookie value

23. Can XSS overwrite HttpOnly cookies?

24. Yes. When a browser reaches its limit for cookies for a domain it starts to delete older cookies, including Credit: http://webstersprodigy.net/2012/08/03/analysis-of-john-wilanders-triple-submit-cookies/

25. So the attacker can delete the HttpOnly cookie(s) this way and then set them to a controlled value, effectively overwriting

26. var overflowCookieJar = function() { var name = "marker", val = "markerVal", counter = 0; // Set an initial cookie as a marker $.cookie(name, val, {path: "/", domain: ".1-liner.org"}); // Set new cookies until marker is gone while($.cookie(name) == val) { $.cookie(name + counter++, val, {path: "/", domain: ".1-liner.org"}); } // Return number of cookies needed return counter; }

27. Demo Subdomain XSS Triple Submit Bypass

28. Overﬂow the Cookie Jar • Chrome 22: 150-180 cookies needed • Firefox 15: 150 cookies needed • Safari 6: ≈1000 cookies needed

29. The Demo System is an OWASP Project 1-liner.org

Stateless Anti-Csrf

Recomendados

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados (20)

Semelhante a Stateless Anti-Csrf

Semelhante a Stateless Anti-Csrf (20)

Mais de johnwilander

Mais de johnwilander (10)

Último

Último (20)

Stateless Anti-Csrf

Notas do Editor