CIS 6614 meeting -*- Outline -*-

* Cross-Site Request Forgery (CSRF or XSRF)
   Based on notes by Suman Jana, which are based on slides by John Mitchell

   Also:

    Rupali D. Kombade, B.B. Meshram.
    "CSRF Vulnerabilities and Defensive Techniques",
    IJCNIS, vol.4, no.1, pp.31-37, 2012.
    DOI: 10.5815/ijcnis.2012.01.04

** background on the attack

   It's a kind of "confused deputy" attack
   in that browser acting on behalf of user
   sends cookie along to authenticate injected response
   
*** use of cookies for authentication
------------------------------------------
          SESSIONS USING COOKIES

 Browser             Server
   []   POST/login.cgi []
   [] ---------------->[]
   []                  []
   [] set-cookie: authenticator
   [] <--------------- []
   []                  []
   [] GET: Cookie: authenticator
   []----------------> []
   []                  []
   []    response      []
   [] <--------------- []
------------------------------------------
        the cookie is passed to the server as an authentication mechanism

*** example of attack
------------------------------------------
     ATTACK EXAMPLE

1. User logs in to  bank.com
    - Session cookie remains in browser

2. User visits another site with
   <form  name=F
    action=http://bank.com/BillPay.php>
   <input name=recipient value=badguy> ...
   <script> document.F.submit(); </script>

3. Browser sends user auth cookie
    with form submission

4. Transaction will be fulfilled

Problem:


------------------------------------------
      Q: Why is the transaction fulfilled?
         Because the cookie is still there
         and authenticates the user

      ... cookie authentication is insufficient
          when there are effects
          (e.g., for POST)

      Q: Is the attacker's page/script part of the original session?
         No, but cookies are global to browser (one per user)

      Q: Do you ever stay logged in to a website while browsing?
         (Many people do!)

------------------------------------------
      HTML TAGS USED IN CSRF ATTACKS

from Kombade and Meshram 2012 (table 1):

Tag     Exploit example
========================================

body    <body {background:url("attack")}>
        <body onload="attack">

img     <img src="attack">

input   <input type="image" src="attack"
            alt="Submit">

link    <link rel=".." type="text/css"
              href="attack">

table   <table background="attack">

iframe  <iframe src="attack">

        ...
------------------------------------------
        Q: Which does the user need to click on?
           input and link

** defenses against CSRF
------------------------------------------
         DEFENSES AGAINST CSRF

















------------------------------------------

     Q: How can CSRF be prevented?

     ... - Don't validate user via a cookie
           when making changes

         - Instead use a secret value
           for each session,
           but NOT in a cookie!

         - Don't trust user inputs
           or render untrusted information from web

         - Validate inputs (e.g., using regexps)

         - Use POST rather than GET

         - Validate the referer

           Referer:http://www.facebook.com/home.php

        (And use a timeout, which is protected with a MAC.)
        (And set a default character set)


------------------------------------------
   VARIATIONS ON SECRET TOKEN VALIDATION

 - Session identifier
 - Session-independent token
 - Session-dependent token
 - HMAC of session identifier
 
------------------------------------------

------------------------------------------
       WHY NOT VALIDATE REFERER/ORIGIN?

Why might a website not validate referer?










How is origin in header better?






------------------------------------------

     Q: Why might a website not want to validate referers?
        - not all websites send that information
          (it's a privacy issue)
        - user can set preference not to send that info
        - some organizations strip that information 
        - stripped by browser for HTTPS to HTTP translation
        - user agent could be buggy

     Q: Can a website afford to turn away customers with missing referers?
        probably not

     Q: How is origin header better than referer for privacy?
        - only sends information on POST
        - only sends necessary data

     So origin information is better than using referer since:
        - fewer privacy problems
        - but information can be there when needed

     Q: Would taint checking help prevent CSRF?
        Yes! Because it helps prevent using untrusted inputs

** Server-side Request Forgery (SSRF)
------------------------------------------
   SERVER-SIDE REQUEST FORGERY (SSRF)

#10 in the 2021 OWASP Top Ten
  (A10:2021)

Occurs when website designed to use 
  query strings in URLs to 
  represent requests by client

e.g., in email app:

  http://ex.com/request.php?create-new
  http://ex.com/request.php?read-NNN
  http://ex.com/request.php?delete-NNN



------------------------------------------
     Q: Why is that design a problem?
     Because if the attacker can get user to open web page containing
     such a URL, then it will be executed, e.g.,
         <img src="http://ex.com/request.php?delete-all/>

     Q: Is SSRF the result of bad design or bad coding?
        bad design, the use of query parameters in the clear is dangerous

     Q: How can SSRF be prevented?
        - Validate user-supplied URLs before using them
        - Use a different design, don't send requests in clear text!

        - Enforce the URL schema, port, and destination
          with a positive allow list

        - Do not send raw responses to clients

      (also per OWASP:
        - Disable HTTP redirections

        - Watch out for race conditions (time of check vs. time of use)

        - Segment remote resource access functionality
          in separate networks
          (to reduce the impact of SSRF)

        - Enforce "deny by default" firewall policies
           or network access control rules
           to block all but essential intranet traffic.)

     Q: Is this the same problem as CSRF?
        No, that misuses authentication,
        this is a problem of exposing an API to the world
         (that shouldn't be exposed)