Презентация на тему CSRF. Danger. Detection. Defenses

Содержание

Слайды и текст этой презентации

Слайд 1Cross-Site Request Forgery: Danger, Detection, and Defenses
Eric Sheridan
Aspect Security, Inc.
eric.sheridan@aspectsecurity.com
11-14-2007

Cross-Site Request Forgery: Danger, Detection, and DefensesEric SheridanAspect Security, Inc.eric.sheridan@aspectsecurity.com11-14-2007

Слайд 2Overview
Discussion of the “Same Origin Policy”
Overview of the “Sleeping Giant”
The Introduction

of
2 New OWASP Tools
A Series of New WebGoat Labs
Enterprise CSRF Mitigation Strategy


OverviewDiscussion of the “Same Origin Policy”Overview of the “Sleeping Giant”The Introduction of2

Слайд 3The Browser “Same Origin” Policy

bank.com
blog.net




document, cookies






The Browser “Same Origin” Policybank.comblog.netdocument, cookies

Слайд 4Cross-Site Request Forgery


bank.com
attacker’s post at blog.net


Cross-Site Request Forgerybank.comattacker’s post at blog.net

Слайд 5How Does CSRF Work?
Tags




Autoposting Forms





XmlHttpRequest
Subject to same origin policy

How Does CSRF Work?TagsAutoposting Forms  XmlHttpRequestSubject to same origin policy

Слайд 6Credentials Included


bank.com
blog.net


Credentials Includedbank.comblog.net

Слайд 7New Tool: OWASP CSRFTester
Test your applications for CSRF
Record and replay transactions
Tune

the recorded test case
Run test case with exported HTML document
Test case alternatives
Auto-Posting Forms
Evil iFrame
IMG Tag
XMLHTTPRequest
Link

New Tool: OWASP CSRFTesterTest your applications for CSRFRecord and replay transactionsTune the

Слайд 8DEMO: OWASP CSRFTester

DEMO: OWASP CSRFTester

Слайд 9What Can Attackers Do with CSRF?
Anything an authenticated user can do
Click

links
Fill out and submit forms
Follow all the steps of a wizard interface
No restriction from same origin policy, except…
Attackers cannot read responses from other origins
Limited on what can be done with data
Severe impact on accountability
Log entries reflect the actions a victim was tricked into executing
What Can Attackers Do with CSRF?Anything an authenticated user can doClick linksFill

Слайд 10Using CSRF to Attack Internal Pages
attacker.com
internal.mybank.com


Allowed!
Internal Site

internal browser

Using CSRF to Attack Internal Pagesattacker.cominternal.mybank.comAllowed!Internal Siteinternal browser

Слайд 11Misconceptions – Defenses That Don’t Work
Only accept POST
Stops simple link-based attacks

(IMG, frames, etc.)
But hidden POST requests can be created with frames, scripts, etc…
Referer checking
Some users prohibit referers, so you can’t just require referer headers
Techniques to selectively create HTTP request without referers exist
Requiring multi-step transactions
CSRF attack can perform each step in order
URL Rewriting
General session id exposure in logs, cache, etc.

None of these approaches will sufficiently protect against CSRF!

Misconceptions – Defenses That Don’t WorkOnly accept POSTStops simple link-based attacks (IMG,

Слайд 12New Tool: OWASP CSRFGuard 2.0
User
(Browser)
1. Add token with regex
2. Add token

with HTML parser

3. Add token in browser with Javascript


Adds token to:
href attribute
src attribute
hidden field in all forms

Actions:
Log
Invalidate
Redirect




http://www.owasp.org/index.php/CSRFGuard


New Tool: OWASP CSRFGuard 2.0User(Browser)1. Add token with regex2. Add token with

Слайд 13DEMO: OWASP CSRFGuard 2.0

DEMO: OWASP CSRFGuard 2.0

Слайд 14Similar Implementations
PHP CSRFGuard
PHP Implementation of CSRFGuard
http://www.owasp.org/index.php/PHP_CSRF_Guard

JSCK
PHP & JavaScript implementation
http://www.thespanner.co.uk/2007/10/19/jsck/

Similar ImplementationsPHP CSRFGuardPHP Implementation of CSRFGuardhttp://www.owasp.org/index.php/PHP_CSRF_GuardJSCKPHP & JavaScript implementationhttp://www.thespanner.co.uk/2007/10/19/jsck/

Слайд 15DEMO: Cross-Site Scripting vs. CSRFGuard

DEMO: Cross-Site Scripting vs. CSRFGuard

Слайд 16Enterprise CSRF Mitigation Strategy
Balance Between Security, Usability, and Cost
MISSION
CRITICAL
FUNCTIONS
EVERYDAY
BUSINESS
FUNCTIONS
LUNCH
MENU
FUNCTIONS

Enterprise CSRF Mitigation StrategyBalance Between Security, Usability, and CostMISSIONCRITICALFUNCTIONSEVERYDAYBUSINESSFUNCTIONSLUNCHMENUFUNCTIONS

Слайд 17

http://www.owasp.org/index.php/Cross-Site_Request_Forgery
http://www.cgisecurity.com/articles/csrf-faq.shtml
http://www.darkreading.com/document.asp?doc_id=107651&WT.svl=news1_2

http://www.owasp.org/index.php/Cross-Site_Request_Forgeryhttp://www.cgisecurity.com/articles/csrf-faq.shtmlhttp://www.darkreading.com/document.asp?doc_id=107651&WT.svl=news1_2

Слайд 18Extra: How Widespread Are CSRF Holes?
Very likely in most web applications
Including

both intranet and external apps
Including Web 1.0 and Web 2.0 applications
Any function without specific CSRF defenses is vulnerable

How do victims get attacked?
Victim simply opens an infected webpage, HTML file, or email
Single Sign On (SSO) extends “authenticated user”

CSRF recently found in 8 security appliances
Including CheckPoint
Extra: How Widespread Are CSRF Holes?Very likely in most web applicationsIncluding both

Слайд 19Extra: Real World CSRF Examples


border="0">
Extra: Real World CSRF Examples

Слайд 20Extra: CSRF Defenses
CAPTCHA
Attacker must know CAPTCHA answer
Assuming a secure implementation
Re-Authentication
Password Based
Attacker

must know victims password
If password is known, then game over already!
One-Time Token
Attacker must know current token
Very strong defense!
Unique Request Tokens
Attacker must know unique request token for particular victim for particular session
Assumes token is cryptographically secure and not disclosed.
/accounts?auth=687965fdfaew87agrde …
Extra: CSRF DefensesCAPTCHAAttacker must know CAPTCHA answerAssuming a secure implementationRe-AuthenticationPassword BasedAttacker must

Обратная связь

Если не удалось найти и скачать презентацию, Вы можете заказать его на нашем сайте. Мы постараемся найти нужный Вам материал и отправим по электронной почте. Не стесняйтесь обращаться к нам, если у вас возникли вопросы или пожелания:

Email: Нажмите что бы посмотреть 

Что такое ThePresentation.ru?

Это сайт презентаций, докладов, проектов, шаблонов в формате PowerPoint. Мы помогаем школьникам, студентам, учителям, преподавателям хранить и обмениваться учебными материалами с другими пользователями.


Для правообладателей

Яндекс.Метрика