[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [WEB SECURITY] Defeating nonce/token based CSRF protection
- From: "Hoffman, Billy" <billy.hoffman@xxxxxx>
- Subject: RE: [WEB SECURITY] Defeating nonce/token based CSRF protection
- Date: Thu, 17 Apr 2008 19:17:50 +0000
--_000_E6D4EC86FD5EC848A75E0C5A5478EAF70E2587B51CG3W1111americ_
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
The Yamanner worm is another good example. And Yahoo had a nonce like rando=
m token called a crumb that stopped CSRF, but because there was an XSS vuln=
this defense was side stepped.
I agree with Arian that the prevalence of XSS kind of makes implementing CS=
RF defenses like nonce a half measure at best. However we need to start edu=
cating people so that as XSS goes down the are also protected against CSRF.
Billy
From: Ory Segal [mailto:SEGALORY@il.ibm.com]
Sent: Thursday, April 17, 2008 2:49 PM
To: Jeroen van Dongen
Cc: websecurity@webappsec.org
Subject: Re: [WEB SECURITY] Defeating nonce/token based CSRF protection
Hi,
CSRF attacks usually takes place when the victim is lured to some malicious=
site, and then presented with HTML that causes an automated request to be =
sent by the browser, for example using SCRIPT, or IMF tags. In both cases, =
the browser will not allow the attacker to see the responses, so he/she can=
not parse them and extract the nonce as you described.
The only possible way to do this, is by using XMLHttpRequest, and that is o=
nly possible if you are operating in the same domain. A good real world exa=
mple for this was the SAMY worm, which originated from the MySpace domain, =
and attacked its own users in the MySpace domain.
-Ory Segal
From:
"Jeroen van Dongen" <jeroen@jkwadraat.net>
To:
websecurity@webappsec.org
Date:
17/04/2008 06:59 PM
Subject:
[WEB SECURITY] Defeating nonce/token based CSRF protection
________________________________
Dear,
I'm currently reading up on CSRF defenses and a highly recommended
approach is to include a session-bound (or data-set bound) token in
forms and / or urls.
At various places it is described as a "robust" and "nearly impossible
to beat" way to defend against CSRF. However, it seems to me that it
is (conceptually) easily beaten. Perhaps I'm wrong (hope so), but
let's have a go ...
The basis of this defensive technique is that the nonce a) cannot be
guessed by the attacker and b) is not automatically send by the
browser upon request (as opposed to cookies etc.).
However, the nonce IS send by the server to the client upon receiving
a valid request. THE problem with CSRF is that the attacker is able to
make VALID requests to the server, impersonating the real user,
because the browser will happily send every required cookie,
authorization header etc. along.
So if that is the case, whats to stop an attacker from first
requesting the target form with a GET and then submitting the form
with any desired values (including the freshly server-supplied and
thus valid nonce) just like the user would do? Perhaps implemented as
a flash banner running on the attackers site?
Interesting references in this case:
[1] http://www.xml.com/pub/a/2006/06/28/flashxmlhttprequest-proxy-to-the-re=
scue.html
[2] http://www.webappsec.org/lists/websecurity/archive/2006-07/msg00069.htm=
l
[3] http://blogs.zdnet.com/security/?p=3D946
Regards,
Jeroen
---------------------------------------------------------------------------=
-
Join us on IRC: irc.freenode.net #webappsec
Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/
Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
--_000_E6D4EC86FD5EC848A75E0C5A5478EAF70E2587B51CG3W1111americ_
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
<html xmlns:v=3D"urn:schemas-microsoft-com:vml" xmlns:o=3D"urn:schemas-micr=
osoft-com:office:office" xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:x=3D"urn:schemas-microsoft-com:office:excel" xmlns:p=3D"urn:schemas-m=
icrosoft-com:office:powerpoint" xmlns:a=3D"urn:schemas-microsoft-com:office=
:access" xmlns:dt=3D"uuid:C2F41010-65B3-11d1-A29F-00AA00C14882" xmlns:s=3D"=
uuid:BDC6E3F0-6DA3-11d1-A2A3-00AA00C14882" xmlns:rs=3D"urn:schemas-microsof=
t-com:rowset" xmlns:z=3D"#RowsetSchema" xmlns:b=3D"urn:schemas-microsoft-co=
m:office:publisher" xmlns:ss=3D"urn:schemas-microsoft-com:office:spreadshee=
t" xmlns:c=3D"urn:schemas-microsoft-com:office:component:spreadsheet" xmlns=
:oa=3D"urn:schemas-microsoft-com:office:activation" xmlns:html=3D"http://ww=
w.w3.org/TR/REC-html40" xmlns:q=3D"http://schemas.xmlsoap.org/soap/envelope=
/" xmlns:D=3D"DAV:" xmlns:x2=3D"http://schemas.microsoft.com/office/excel/2=
003/xml" xmlns:ois=3D"http://schemas.microsoft.com/sharepoint/soap/ois/"; xm=
lns:dir=3D"http://schemas.microsoft.com/sharepoint/soap/directory/"; xmlns:d=
s=3D"http://www.w3.org/2000/09/xmldsig#"; xmlns:dsp=3D"http://schemas.micros=
oft.com/sharepoint/dsp" xmlns:udc=3D"http://schemas.microsoft.com/data/udc"=
xmlns:xsd=3D"http://www.w3.org/2001/XMLSchema"; xmlns:sub=3D"http://schemas=
.microsoft.com/sharepoint/soap/2002/1/alerts/" xmlns:ec=3D"http://www.w3.or=
g/2001/04/xmlenc#" xmlns:sp=3D"http://schemas.microsoft.com/sharepoint/"; xm=
lns:sps=3D"http://schemas.microsoft.com/sharepoint/soap/"; xmlns:xsi=3D"http=
://www.w3.org/2001/XMLSchema-instance" xmlns:udcxf=3D"http://schemas.micros=
oft.com/data/udc/xmlfile" xmlns:wf=3D"http://schemas.microsoft.com/sharepoi=
nt/soap/workflow/" xmlns:mver=3D"http://schemas.openxmlformats.org/markup-c=
ompatibility/2006" xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/o=
mml" xmlns:mrels=3D"http://schemas.openxmlformats.org/package/2006/relation=
ships" xmlns:ex12t=3D"http://schemas.microsoft.com/exchange/services/2006/t=
ypes" xmlns:ex12m=3D"http://schemas.microsoft.com/exchange/services/2006/me=
ssages" xmlns=3D"http://www.w3.org/TR/REC-html40";>
<head>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; charset=3Dus-ascii"=
>
<meta name=3DGenerator content=3D"Microsoft Word 12 (filtered medium)">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style>
<![endif]-->
<style>
<!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
tt
{mso-style-priority:99;
font-family:"Courier New";}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext=3D"edit">
<o:idmap v:ext=3D"edit" data=3D"1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=3DEN-US link=3Dblue vlink=3Dpurple>
<div class=3DSection1>
<p class=3DMsoNormal><span style=3D'font-size:11.0pt;font-family:"Calibri",=
"sans-serif";
color:#1F497D'>The Yamanner worm is another good example. And Yahoo had a n=
once
like random token called a crumb that stopped CSRF, but because there was a=
n XSS
vuln this defense was side stepped.<o:p></o:p></span></p>
<p class=3DMsoNormal><span style=3D'font-size:11.0pt;font-family:"Calibri",=
"sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=3DMsoNormal><span style=3D'font-size:11.0pt;font-family:"Calibri",=
"sans-serif";
color:#1F497D'>I agree with Arian that the prevalence of XSS kind of makes =
implementing
CSRF defenses like nonce a half measure at best. However we need to start
educating people so that as XSS goes down the are also protected against CS=
RF.<o:p></o:p></span></p>
<p class=3DMsoNormal><span style=3D'font-size:11.0pt;font-family:"Calibri",=
"sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=3DMsoNormal><span style=3D'font-size:11.0pt;font-family:"Calibri",=
"sans-serif";
color:#1F497D'>Billy<o:p></o:p></span></p>
<p class=3DMsoNormal><span style=3D'font-size:11.0pt;font-family:"Calibri",=
"sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<div style=3D'border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in =
0in 0in'>
<p class=3DMsoNormal><b><span style=3D'font-size:10.0pt;font-family:"Tahoma=
","sans-serif"'>From:</span></b><span
style=3D'font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Ory Segal
[mailto:SEGALORY@il.ibm.com] <br>
<b>Sent:</b> Thursday, April 17, 2008 2:49 PM<br>
<b>To:</b> Jeroen van Dongen<br>
<b>Cc:</b> websecurity@webappsec.org<br>
<b>Subject:</b> Re: [WEB SECURITY] Defeating nonce/token based CSRF protect=
ion<o:p></o:p></span></p>
</div>
<p class=3DMsoNormal><o:p> </o:p></p>
<p class=3DMsoNormal style=3D'margin-bottom:12.0pt'><br>
<span style=3D'font-size:10.0pt;font-family:"Arial","sans-serif"'>Hi,</span=
> <br>
<br>
<span style=3D'font-size:10.0pt;font-family:"Arial","sans-serif"'>CSRF atta=
cks
usually takes place when the victim is lured to some malicious site, and th=
en
presented with HTML that causes an automated request to be sent by the brow=
ser,
for example using SCRIPT, or IMF tags. In both cases, the browser will not
allow the attacker to see the responses, so he/she cannot parse them and
extract the nonce as you described.</span> <br>
<br>
<span style=3D'font-size:10.0pt;font-family:"Arial","sans-serif"'>The only
possible way to do this, is by using XMLHttpRequest, and that is only possi=
ble
if you are operating in the same domain. A good real world example for this=
was
the SAMY worm, which originated from the MySpace domain, and attacked its o=
wn
users in the MySpace domain. </span><br>
<br>
<span style=3D'font-size:10.0pt;font-family:"Arial","sans-serif"'>-Ory Sega=
l</span>
<br>
<br>
<br>
<br>
<o:p></o:p></p>
<table class=3DMsoNormalTable border=3D0 cellpadding=3D0 width=3D"100%"
style=3D'width:100.0%'>
<tr>
<td valign=3Dtop style=3D'padding:.75pt .75pt .75pt .75pt'>
<p class=3DMsoNormal><span style=3D'font-size:7.5pt;font-family:"Arial","=
sans-serif";
color:#5F5F5F'>From:</span> <o:p></o:p></p>
</td>
<td valign=3Dtop style=3D'padding:.75pt .75pt .75pt .75pt'>
<p class=3DMsoNormal><span style=3D'font-size:7.5pt;font-family:"Arial","=
sans-serif"'>"Jeroen
van Dongen" <jeroen@jkwadraat.net></span> <o:p></o:p></p>
</td>
</tr>
<tr>
<td valign=3Dtop style=3D'padding:.75pt .75pt .75pt .75pt'>
<p class=3DMsoNormal><span style=3D'font-size:7.5pt;font-family:"Arial","=
sans-serif";
color:#5F5F5F'>To:</span> <o:p></o:p></p>
</td>
<td valign=3Dtop style=3D'padding:.75pt .75pt .75pt .75pt'>
<p class=3DMsoNormal><span style=3D'font-size:7.5pt;font-family:"Arial","=
sans-serif"'>websecurity@webappsec.org</span>
<o:p></o:p></p>
</td>
</tr>
<tr>
<td valign=3Dtop style=3D'padding:.75pt .75pt .75pt .75pt'>
<p class=3DMsoNormal><span style=3D'font-size:7.5pt;font-family:"Arial","=
sans-serif";
color:#5F5F5F'>Date:</span> <o:p></o:p></p>
</td>
<td valign=3Dtop style=3D'padding:.75pt .75pt .75pt .75pt'>
<p class=3DMsoNormal><span style=3D'font-size:7.5pt;font-family:"Arial","=
sans-serif"'>17/04/2008
06:59 PM</span> <o:p></o:p></p>
</td>
</tr>
<tr>
<td valign=3Dtop style=3D'padding:.75pt .75pt .75pt .75pt'>
<p class=3DMsoNormal><span style=3D'font-size:7.5pt;font-family:"Arial","=
sans-serif";
color:#5F5F5F'>Subject:</span> <o:p></o:p></p>
</td>
<td valign=3Dtop style=3D'padding:.75pt .75pt .75pt .75pt'>
<p class=3DMsoNormal><span style=3D'font-size:7.5pt;font-family:"Arial","=
sans-serif"'>[WEB
SECURITY] Defeating nonce/token based CSRF protection</span><o:p></o:p></=
p>
</td>
</tr>
</table>
<p class=3DMsoNormal><o:p> </o:p></p>
<div class=3DMsoNormal align=3Dcenter style=3D'text-align:center'>
<hr size=3D2 width=3D"100%" noshade style=3D'color:#ACA899' align=3Dcenter>
</div>
<p class=3DMsoNormal style=3D'margin-bottom:12.0pt'><br>
<br>
<br>
<tt><span style=3D'font-size:10.0pt'>Dear,</span></tt><span style=3D'font-s=
ize:
10.0pt;font-family:"Courier New"'><br>
<br>
<tt>I'm currently reading up on CSRF defenses and a highly recommended</tt>=
<br>
<tt>approach is to include a session-bound (or data-set bound) token in</tt=
><br>
<tt>forms and / or urls.</tt><br>
<br>
<tt>At various places it is described as a "robust" and "nea=
rly
impossible</tt><br>
<tt>to beat" way to defend against CSRF. However, it seems to me that =
it</tt><br>
<tt>is (conceptually) easily beaten. Perhaps I'm wrong (hope so), but</tt><=
br>
<tt>let's have a go ...</tt><br>
<br>
<tt>The basis of this defensive technique is that the nonce a) cannot be</t=
t><br>
<tt>guessed by the attacker and b) is not automatically send by the</tt><br=
>
<tt>browser upon request (as opposed to cookies etc.).</tt><br>
<tt>However, the nonce IS send by the server to the client upon receiving</=
tt><br>
<tt>a valid request. THE problem with CSRF is that the attacker is able to<=
/tt><br>
<tt>make VALID requests to the server, impersonating the real user,</tt><br=
>
<tt>because the browser will happily send every required cookie,</tt><br>
<tt>authorization header etc. along.</tt><br>
<br>
<tt>So if that is the case, whats to stop an attacker from first</tt><br>
<tt>requesting the target form with a GET and then submitting the form</tt>=
<br>
<tt>with any desired values (including the freshly server-supplied and</tt>=
<br>
<tt>thus valid nonce) just like the user would do? Perhaps implemented as</=
tt><br>
<tt>a flash banner running on the attackers site?</tt><br>
<br>
<br>
<tt>Interesting references in this case:</tt><br>
<tt>[1] </tt></span><a
href=3D"http://www.xml.com/pub/a/2006/06/28/flashxmlhttprequest-proxy-to-th=
e-rescue.html"><tt><span
style=3D'font-size:10.0pt'>http://www.xml.com/pub/a/2006/06/28/flashxmlhttp=
request-proxy-to-the-rescue.html</span></tt></a><span
style=3D'font-size:10.0pt;font-family:"Courier New"'><br>
<tt>[2] </tt></span><a
href=3D"http://www.webappsec.org/lists/websecurity/archive/2006-07/msg00069=
.html"><tt><span
style=3D'font-size:10.0pt'>http://www.webappsec.org/lists/websecurity/archi=
ve/2006-07/msg00069.html</span></tt></a><span
style=3D'font-size:10.0pt;font-family:"Courier New"'><br>
<tt>[3] </tt></span><a href=3D"http://blogs.zdnet.com/security/?p=3D946";><t=
t><span
style=3D'font-size:10.0pt'>http://blogs.zdnet.com/security/?p=3D946</span><=
/tt></a><span
style=3D'font-size:10.0pt;font-family:"Courier New"'><br>
<br>
<tt>Regards,</tt><br>
<tt>Jeroen</tt><br>
<br>
<tt>-----------------------------------------------------------------------=
-----</tt><br>
<tt>Join us on IRC: irc.freenode.net #webappsec</tt><br>
<br>
<tt>Have a question? Search The Web Security Mailing List Archives: </tt><b=
r>
</span><a href=3D"http://www.webappsec.org/lists/websecurity/";><tt><span
style=3D'font-size:10.0pt'>http://www.webappsec.org/lists/websecurity/</spa=
n></tt></a><span
style=3D'font-size:10.0pt;font-family:"Courier New"'><br>
<br>
<tt>Subscribe via RSS: </tt><br>
</span><a href=3D"http://www.webappsec.org/rss/websecurity.rss";><tt><span
style=3D'font-size:10.0pt'>http://www.webappsec.org/rss/websecurity.rss</sp=
an></tt></a><tt><span
style=3D'font-size:10.0pt'> [RSS Feed]</span></tt><span style=3D'font-size:=
10.0pt;
font-family:"Courier New"'><br>
<br>
</span><o:p></o:p></p>
</div>
</body>
</html>
--_000_E6D4EC86FD5EC848A75E0C5A5478EAF70E2587B51CG3W1111americ_--
Brought to you by http://www.webappsec.org
Search this site
|