O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.

Stateless Anti-Csrf

3.621 visualizações

Publicada em

Publicada em: Tecnologia
  • Seja o primeiro a comentar

  • Seja a primeira pessoa a gostar disto

Stateless Anti-Csrf

  1. 1. Stateless Anti-CSRF @johnwilander at Dagstuhl 2012 Germany
  2. 2. Stateless is Good• Dont need to synchronize between servers• No bloated session objects on servers• REST
  3. 3. REST ConstraintStatelessThe client–server communication is furtherconstrained by no client context being storedon the server between requests. Each requestfrom any client contains all of the informationnecessary to service the request, and anysession state is held in the client.
  4. 4. StatelessDouble Submit (CSRF Protection)
  5. 5. Double Submit (CSRF protection) Anti-CSRF value as cookie ... ... and request parameter
  6. 6. Double Submit (CSRF protection) cookie ≠ request parameter Cannot read the anti-CSRF cookie to include it as parameter
  7. 7. Double Submit (CSRF protection)Anti-CSRF cookie canbe generated client-side=> no server-side state
  8. 8. Demo Double Submit
  9. 9. Are We FullyProtected Now?
  10. 10. Are We FullyProtected Now? Of course not
  11. 11. The Other Subdomainhttps://securish.1-liner.org https://other.1-liner.org Search Buy!
  12. 12. The Other Subdomainhttps://securish.1-liner.org https://other.1-liner.org <script>alert(XSS)</script> Search XSS OK Buy!
  13. 13. The Other Subdomainhttps://securish.1-liner.org https://other.1-liner.org <script> Search $.cookie( "doubleSubmitToken", "knownValue", { path: "/", domain: ".1-liner.org" }); </script> Buy!
  14. 14. Demo SubdomainXSS Double Submit Bypass
  15. 15. I proposed some sort ofTriple Submit CSRF Protection
  16. 16. Triple Submit (CSRF protection) Initial request of rich internet app
  17. 17. Triple Submit (CSRF protection) Random HttpOnly cookie Cookie value as JavaScript variable
  18. 18. Triple Submit (CSRF protection) Random HttpOnly cookie Cookie value as request parameterStateful:Cookie name saved in server sessionStateless:Server only accepts one such cookie (checks format)
  19. 19. The 3rd Submit• The server sets an HttpOnly cookie with a random name and random value• The server tells the client the value of the random cookie, not the name• The client submits the value of the cookie as a request parameter
  20. 20. The 3rd Submit • The server sets an httpOnly cookieresponse.addHeader("Set-Cookie", randomName a random randomValue + "; with + "=" + name and random value HttpOnly; path=/; domain=.1-liner.org"); • The server tells the client the value of the random cookie, not the name • The client submits the value of the cookie as a request parameter
  21. 21. The 3rd Submit • The server sets an httpOnly cookie with a random name and random value<script> • The server tells the<%= randomValue %>;var ANTI_CSRF_TRIPLE = client the value of the random cookie, not the name</script> • The Client submits the name and value of the cookie as a request parameter
  22. 22. The 3rd Submit• Cookie value as parameter• The cookie name• The cookie value
  23. 23. Can XSS overwriteHttpOnly cookies?
  24. 24. Yes. When a browser reaches its limit for cookies for a domain it starts to delete older cookies, includingCredit: http://webstersprodigy.net/2012/08/03/analysis-of-john-wilanders-triple-submit-cookies/
  25. 25. So the attacker can deletethe HttpOnly cookie(s)this way and then setthem to a controlledvalue,effectively overwriting
  26. 26. var overflowCookieJar = function() { var name = "marker", val = "markerVal", counter = 0; // Set an initial cookie as a marker $.cookie(name, val, {path: "/", domain: ".1-liner.org"}); // Set new cookies until marker is gone while($.cookie(name) == val) { $.cookie(name + counter++, val, {path: "/", domain: ".1-liner.org"}); } // Return number of cookies needed return counter;}
  27. 27. Demo SubdomainXSS Triple Submit Bypass
  28. 28. Overflow the Cookie Jar• Chrome 22: 150-180 cookies needed• Firefox 15: 150 cookies needed• Safari 6: ≈1000 cookies needed
  29. 29. The Demo System is an OWASP Project 1-liner.org

×