[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [WEB SECURITY] Can WAF's block CSRF?

From: "Tom Spector" <t.spector@xxxxxx>
Subject: RE: [WEB SECURITY] Can WAF's block CSRF?
Date: Fri, 10 Nov 2006 12:10:50 -0800
------_=_NextPart_001_01C70504.519223A5
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

Hi Brian,

=20

My initial statement was regarding the ability to mitigate the risk of
such an attack rather then claim that it can be 100% blocked.

The various options that I mentioned can be used alone or together to
provide various degrees of mitigation.

=20

With regards to using cookies I mentioned two areas where they can be
helpful:

-          Timeout - if the site does not timeout on its own cookies,
you can set a timeout on the ASM cookie after which the site's cookie
will not longer be valid and the request will be rejected - this would
mean that a CSRF would need to be in the timeframe of the ASM cookie
timeout to have a chance on succeeding.=20

-          Referer enforcement - by enforcing referer, requests that do
not forge the referer will never succeed and the ones that do, will need
to be the right referer and in the right timeframe (per first bullet).

=20

While these two measures are not by themselves a full proof solution, I
see them as very powerful and easy to implement risk reduction tools.


Thanks,

=20

Tom.

=20

________________________________

From: Brian Eaton [mailto:eaton.lists@gmail.com]=20
Sent: Wednesday, November 01, 2006 10:16 PM
To: Tom Spector
Cc: Jeremiah Grossman; Web Security
Subject: Re: [WEB SECURITY] Can WAF's block CSRF?

=20

On 10/31/06, Tom Spector <t.spector@f5.com> wrote:
-       Enforce application flow by allowing access to certain pages=20
only from other pages in the application and not as an entry point -
this means that requests for /execute.php will be allowed only if
/login.php was requested prior to that. This enforcement is done based
on an ASM signed cookie rather then anything controlled by the user=20
(e.g. referer header or site cookie).
=20

Hi Tom -=20

=20

Can you make any technical information available on how ASM signed
cookies are implemented?  I checked the f5 web site, but I couldn't find
documentation on this subject.

=20

I ask because the idea of using HTTP cookies of any sort (signed or not)
to prevent CSRF seems a little strange to me.  In your example above,
what happens if the user's browser has already visited login.php and the
signed cookie is established?  What prevents a malicious web site from
forcing the user's browser to send a request to execute.php, completing
the CSRF attack?

=20

I could be confused here, it might be that the protection you are
describing isn't meant to defend against CRSF.

=20

Regards,

Brian


------_=_NextPart_001_01C70504.519223A5
Content-Type: text/html;
	charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<html xmlns:v=3D"urn:schemas-microsoft-com:vml" =
xmlns:o=3D"urn:schemas-microsoft-com:office:office" =
xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns=3D"http://www.w3.org/TR/REC-html40";>

<head>
<meta http-equiv=3DContent-Type content=3D"text/html; =
charset=3Dus-ascii">
<meta name=3DGenerator content=3D"Microsoft Word 11 (filtered medium)">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style>
<![endif]-->
<style>
<!--
 /* Font Definitions */
 @font-face
	{font-family:Wingdings;
	panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
	{font-family:Tahoma;
	panose-1:2 11 6 4 3 5 4 4 2 4;}
 /* Style Definitions */
 p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0in;
	margin-bottom:.0001pt;
	font-size:12.0pt;
	font-family:"Times New Roman";}
a:link, span.MsoHyperlink
	{color:blue;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{color:blue;
	text-decoration:underline;}
span.EmailStyle18
	{mso-style-type:personal-reply;
	font-family:Arial;
	color:navy;}
@page Section1
	{size:8.5in 11.0in;
	margin:1.0in 1.25in 1.0in 1.25in;}
div.Section1
	{page:Section1;}
 /* List Definitions */
 @list l0
	{mso-list-id:981538294;
	mso-list-type:hybrid;
	mso-list-template-ids:-1300363304 -1799582434 67698691 67698693 =
67698689 67698691 67698693 67698689 67698691 67698693;}
@list l0:level1
	{mso-level-start-at:5;
	mso-level-number-format:bullet;
	mso-level-text:-;
	mso-level-tab-stop:21.0pt;
	mso-level-number-position:left;
	margin-left:21.0pt;
	text-indent:-.25in;
	font-family:Arial;
	mso-fareast-font-family:"Times New Roman";}
ol
	{margin-bottom:0in;}
ul
	{margin-bottom:0in;}
-->
</style>

</head>

<body lang=3DEN-US link=3Dblue vlink=3Dblue>

<div class=3DSection1>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>Hi =
Brian,<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>My initial statement was regarding =
the
ability to mitigate the risk of such an attack rather then claim that it =
can be
100% blocked.<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>The various options that I =
mentioned can
be used alone or together to provide various degrees of =
mitigation.<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>With regards to using cookies I =
mentioned
two areas where they can be helpful:<o:p></o:p></span></font></p>

<p class=3DMsoNormal =
style=3D'margin-left:21.0pt;text-indent:-.25in;mso-list:l0 level1 =
lfo1'><![if !supportLists]><font
size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:10.0pt;font-family:Arial;
color:navy'><span style=3D'mso-list:Ignore'>-<font size=3D1 =
face=3D"Times New Roman"><span
style=3D'font:7.0pt "Times New =
Roman"'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
</span></font></span></span></font><![endif]><span dir=3DLTR><font =
size=3D2
color=3Dnavy face=3DArial><span =
style=3D'font-size:10.0pt;font-family:Arial;
color:navy'>Timeout &#8211; if the site does not timeout on its own =
cookies, you
can set a timeout on the ASM cookie after which the site&#8217;s cookie =
will
not longer be valid and the request will be rejected &#8211; this would =
mean
that a CSRF would need to be in the timeframe of the ASM cookie timeout =
to have
a chance on succeeding. <o:p></o:p></span></font></span></p>

<p class=3DMsoNormal =
style=3D'margin-left:21.0pt;text-indent:-.25in;mso-list:l0 level1 =
lfo1'><![if !supportLists]><font
size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:10.0pt;font-family:Arial;
color:navy'><span style=3D'mso-list:Ignore'>-<font size=3D1 =
face=3D"Times New Roman"><span
style=3D'font:7.0pt "Times New =
Roman"'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
</span></font></span></span></font><![endif]><span dir=3DLTR><font =
size=3D2
color=3Dnavy face=3DArial><span =
style=3D'font-size:10.0pt;font-family:Arial;
color:navy'>Referer enforcement &#8211; by enforcing referer, requests =
that do
not forge the referer will never succeed and the ones that do, will need =
to be
the right referer and in the right timeframe (per first =
bullet).<o:p></o:p></span></font></span></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>While these two measures are not by
themselves a full proof solution, I see them as very powerful and easy =
to
implement risk reduction tools.<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'><br>
Thanks,<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'>Tom.<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'><o:p>&nbsp;</o:p></span></font></p>

<div>

<div class=3DMsoNormal align=3Dcenter style=3D'text-align:center'><font =
size=3D3
face=3D"Times New Roman"><span style=3D'font-size:12.0pt'>

<hr size=3D2 width=3D"100%" align=3Dcenter tabindex=3D-1>

</span></font></div>

<p class=3DMsoNormal><b><font size=3D2 face=3DTahoma><span =
style=3D'font-size:10.0pt;
font-family:Tahoma;font-weight:bold'>From:</span></font></b><font =
size=3D2
face=3DTahoma><span style=3D'font-size:10.0pt;font-family:Tahoma'> Brian =
Eaton
[mailto:eaton.lists@gmail.com] <br>
<b><span style=3D'font-weight:bold'>Sent:</span></b> Wednesday, November =
01, 2006
10:16 PM<br>
<b><span style=3D'font-weight:bold'>To:</span></b> Tom Spector<br>
<b><span style=3D'font-weight:bold'>Cc:</span></b> Jeremiah Grossman; =
Web
Security<br>
<b><span style=3D'font-weight:bold'>Subject:</span></b> Re: [WEB =
SECURITY] Can
WAF's block CSRF?</span></font><o:p></o:p></p>

</div>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'><o:p>&nbsp;</o:p></span></font></p>

<div>

<p class=3DMsoNormal><span class=3Dgmailquote><font size=3D3 =
face=3D"Times New Roman"><span
style=3D'font-size:12.0pt'>On 10/31/06, <b><span =
style=3D'font-weight:bold'>Tom
Spector</span></b> &lt;<a =
href=3D"mailto:t.spector@f5.com";>t.spector@f5.com</a>&gt;
wrote:</span></font></span><br>
-&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Enforce application flow by =
allowing
access to certain pages <br>
only from other pages in the application and not as an entry point -<br>
this means that requests for /execute.php will be allowed only if<br>
/login.php was requested prior to that. This enforcement is done =
based<br>
on an ASM signed cookie rather then anything controlled by the user <br>
(e.g. referer header or site cookie).<br>
&nbsp;<o:p></o:p></p>

</div>

<div>

<div>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'>Hi Tom - <o:p></o:p></span></font></p>

</div>

<div>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'>&nbsp;<o:p></o:p></span></font></p>

</div>

</div>

<div>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'>Can you make any technical information available on how ASM =
signed
cookies are implemented?&nbsp; I checked the f5 web site, but I couldn't =
find
documentation on this subject.<o:p></o:p></span></font></p>

</div>

<div>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'>&nbsp;<o:p></o:p></span></font></p>

</div>

<div>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'>I ask because the idea of using HTTP cookies of any sort (signed =
or
not) to prevent CSRF seems a little strange to me.&nbsp; In your example =
above,
what happens if the user's browser has already visited login.php and the =
signed
cookie is established?&nbsp; What prevents a malicious web site from =
forcing
the user's browser to send a request to execute.php, completing the CSRF
attack?<o:p></o:p></span></font></p>

</div>

<div>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'>&nbsp;<o:p></o:p></span></font></p>

</div>

<div>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'>I could be confused here, it might be that the protection you =
are
describing isn't meant to defend against =
CRSF.<o:p></o:p></span></font></p>

</div>

<div>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'>&nbsp;<o:p></o:p></span></font></p>

</div>

<div>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'>Regards,<o:p></o:p></span></font></p>

</div>

<div>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'>Brian<o:p></o:p></span></font></p>

</div>

</div>

</body>

</html>

------_=_NextPart_001_01C70504.519223A5--
References:
- Re: [WEB SECURITY] Can WAF's block CSRF?
  - From: Brian Eaton
Prev by Date: Re: [WEB SECURITY] timing out user sessions
Next by Date: [WEB SECURITY] Challenges faced by automated web application security assessment tools
Previous by thread: Re: [WEB SECURITY] Can WAF's block CSRF?
Next by thread: [WEB SECURITY] Educational write-up by Amit Klein: "A Refreshing Look at Redirection"
Index(es):
- Date
- Thread
Brought to you by http://www.webappsec.org