Mitigating CSRF with two lines of codes

OWASP Taiwan Day 2017
Mitigating CSRF with 2 lines of code.
Minhaz
minhaz@owasp.org,
minhazv@microsoft.com

快速的照片，
请微笑
Quick photo, please smile@Taipei

Minhaz?
@minhazav | https://blog.minhazav.xyz |minhaz@owasp.org | minhazv@microsoft.com
 Contributor to Phpmyadmin, Mozilla, Matrix Org
 Primary Interests: Distributed Systems & Machine Learning

What is CSRF
Conceptual ways to Mitigate
CSRF
CSRF Protector Project

CSRF
Cross Site Request Forgery
sometimes called: XSRF, See Surf

CSRF: What
OWASP says?
Source: https://www.owasp.org/index.php/Cross-
Site_Request_Forgery_(CSRF)
Cross-Site Request Forgery (CSRF) is an
attack that forces an end user to
execute unwanted actions on a web
application in which they're currently
authenticated. CSRF attacks specifically
target state-changing requests, not theft
of data, since the attacker has no way to
see the response to the forged request.

CSRF: What
OWASP says?
attack that forces an end user to execute
unwanted actions on a web application in
which they're currently authenticated. CSRF
attacks specifically target state-changing
requests, not theft of data, since the
attacker has no way to see the response to
the forged request.

CSRF: What
OWASP says?
attack that forces an end user to
execute unwanted actions on a
web application in which they're
currently authenticated. CSRF attacks
specifically target state-changing requests, not
theft of data, since the attacker has no way to
see the response to the forged request.

 How do attackers “force” victims to
perform them?
 And how do the victims not know it’s
happening?
 And what kind of actions?

Mitigating CSRF with two lines of codes

Some facts
fact#0: HTTP is stateless
protocol, so we generally
use cookies for maintaining
states, and
authenticating/validating
users.
1
fact#1: Whenever a request
originates from a browser
(client) to server, all cookies
associated with the server
are sent along with the
request, irrespective of the
origin of request.
2
So if the attacker can
somehow send a request
with cookies to server and
tend to perform something,
that usually needs
authentication, attacker
will succeed. This is bad!!
3

Money transferred
to attacker
$12,000
POST /login HTTP/1.1
Host: bank.com
username=bob&password=pwd123
200 Success
Content-type: text/html
set-cookie: token=abcd;
expires=..
…
…
POST /addUser HTTP/1.1
Host: bank.com
Cookie: token=abcd
200 Success
Content-type: text/html
<html>
…
</html>
GET / HTTP/1.1
Host: evil.com
POST /transefer HTTP/1.1
Host: bank.com
Cookie: token=abcd
To=1234&Amount=12000&type=Instant

Other possibilities:
 If there is CSRF vulnerability in admin panel of a website,
whole website can be compromised!
 Hijacking primary DNS server setting of your router! ->
phishing, Man in the Middle attacks etc.!
 …Add more!
 Want to see it work? Visit superlogout.com
Read More at OWASP CSRF Cheat Sheets, Just Google it!

 There are some cool ways!
 There are some JUST WRONG
WAYS!
How do we
generally
protect
ourselves

✗ Secret cookies
✗ Accepting only POST requests
✗ Multi-Step transactions
✗ URL rewriting
✗ HTTPS
Prevention Methods that SUCKS

What Works?? Randomness!!
✔ Re- Authentication
✔ Implement CAPTCHAS
✔ Synchronizer Token Pattern

What Works?? Randomness!!
✔ Re- Authentication
✔ Implement CAPTCHAS
✔✔ Synchronizer Token Pattern
Server
Client
tokentoken ==

CSRF Protector ? Why ? What
I’ll start with
WHY!
As an engineer, and while I
should, I don’t really want to
know about what CSRF is and
what are cool and uncool
ways to mitigate it;
Of course I can use
frameworks, but there are
just so many forms and I
tend to forget stuff; And to
be frank I don’t always run
static analysis tools to
remind me of issues;
On the top of it, I don’t want
to deal with all these I just
want to build an awesome
app; and release it to
customers as soon as
possible;

Taking a step back:
How it’s done in popular
frameworks

Python (flask / Django)
Python (flask)

Node.JS (Express
Framework)
var cookieParser = require('cookie-parser’)
var csrf = require('csurf’)
var bodyParser = require('body-parser’)
var express = require('express’)
// create express app
var app = express()
app.use(bodyParser.urlencoded({ extended: false }))
app.use(cookieParser())
app.use(csrf({ cookie: true }))
app.get('/form', function (req, res) {
// pass the csrfToken to the view
res.render('send', { csrfToken: req.csrfToken() })
})
app.post('/process', function (req, res) {
res.send('csrf was required to get here’)
})

CSRF Protector ? Why ? What
I’ll start with
WHY!
As an engineer, and while I
should, I don’t really want to
know about what CSRF is and
what are cool and uncool
ways to mitigate it;
Of course I can use
frameworks, but there are
just so many forms and I
tend to forget stuff; And to
be frank I don’t always run
static analysis tools to
remind me of issues;
On the top of it, I don’t
want to deal with all these I
just want to build an
awesome app; and release
it to customers as soon as
possible;

Incoming
request
(POST,
GET*)
Picked up by CSRFP
Validated for CSRF
Token
Business logic of
application
generated HTML
output
Failed Validation
Actions - configurable
(403, redirect)
Output buffered,
scripts injected
On Server Side

On Client Side
We need to ensure all requests, that needs validation:
- All POST request & Selected GET requests
Need to send the token along with the request: either as a query
parameter in the request itself of in request header in case of POST
requests;
So JS code is called as soon as DOM is loaded; And it adds wrapper
to:
- All AJAX calls, All Form submissions, All dynamic form
submissions, and link clicks (if those GET requests need CSRF
validations)

• The token is needed in request header or request query for the request to
be successfully validated;
• The token cannot be guessed (a pseudo random token of configured
length is used);
• The token cannot be retrieved by the attacker as it’s transferred via
cookies (keeping MITM aside), as cookies can be accessed by scripts
running on that site only;
AJI9ngIEwcnYbqiMfAvn
qU4OU2FwJSGHyEJS9L7w
R0Ymq0FkyqbtsXYKZCV2
mTFsdWiLlmGnj8DcWbAr
4gMZLsxQyhF7Ls8TujeM
8OeTx4UGuqZKb7axwzFf

> git clone https://github.com/mebjas/mod_csrfprotector.git
> cd mod_csrfprotector
> sudo spxs2 –cia –n csrf_protector ./src/mod_csrfprotector.c./src/sqlite/sqlite3.c –lssl –lcrypto
> sudo service apache2 restart

 Can be used with existing apps or while creating a
new one;
 Support GET request
 Per request token, MITM + CSRF difficult
 No dependencies (both PHP & JS side)
 Supports AJAX & Dynamic Forms, Supports
ActiveObject (IE) as well;
 Has been implemented as PHP library and apache 2.2
module; But design can be extended to other
languages as well; ( It’s a roadmap)

• Whitelisting of URLs for cross origin request not
supported as of now;
• There is overhead associated with attaching script
reference to HTML

• Porting the design for node.js, python (flask & Django)
• Support for legitimate cross origin requests
• Apache 2.4.x module, windows support
• Shorter time to fix issues & faster releases 

CSRF Protector Project is based on paper: automatic CSRF protection for Web 2.0 applications by R. Sekar & Riccardo Pelizzi.
The initial implementation was a result of support from awesome mentors like: Kevin W. Wall, Abbas Naderi & Jim Manico
Special thanks to them!
谢谢! Questions??

References
https://www.owasp.org/index.php/CSRFProtector_Project
https://github.com/mebjas/CSRF-Protector-PHP
https://www.owasp.org/index.php/Cross-
Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet
下次再见

Mitigating CSRF with two lines of codes

More Related Content

What's hot (20)

Similar to Mitigating CSRF with two lines of codes (20)

Recently uploaded (20)

Mitigating CSRF with two lines of codes