Dissecting CSRF Attacks & Countermeasures

Presented at Black Hat USA 2013, Aug. 1, 2013, 11:45 a.m. (60 minutes)

Cross Site Request Forgery (CSRF) remains a significant threat to web apps and user data. Current countermeasures like request nonces can be cumbersome to deploy correctly and difficult to apply to a site retroactively. Detecting these vulns with automated tools can be equally difficult to do accurately.

The presentation starts with a demonstration of how to model attacks to validate whether different kinds of countermeasures are implemented correctly. It includes a tool and code to show how to detect these vulns with few false positives.

Then we explore how CSRF could be prevented at the HTTP layer by proposing a new header-based policy, similar to the intent of Content Security Policy. This new policy introduces a concept called Storage Origin Security (SOS) for cookies and session objects that foils many kinds of CSRF attacks without burdening the site with HTML modifications. The solution focuses on simplicity to make it easier to retrofit on current apps, but requires browsers to support a new client-side security control. We show how this trade-off could be a quicker way to improving security on the web.

Presenters:

• Vaagn Toukharian - Qualys
  Principal Engineer for Qualys's Web Application Scanner. Was involved with security industry since 1999. Experience includes work on Certification Authority systems, encryption devices, large CAD systems, Web scanners. Outside of work interests include Photography, and Ironman Triathlons.
• Sergey Shekyan - Qualys
  Sergey Shekyan is a Senior Software Engineer for Qualys, where he is focused on development of the companies on demand web application vulnerability scanning service. With more than 10 years of experience in software design, development, testing and documentation, Sergey has contributed key product enhancements and software modules to various companies. Sergey holds both Masters and BS Degrees in Computer Engineering from the State Engineering University of Armenia.
• Mike Shema - Qualys
  Mike Shema writes software to test the security of web sites. When not writing in C++ he turns to books and blog posts to share his knowledge of information security, from network penetration testing to wireless hacking to secure programming. (And includes a generous helping of music, sci-fi, and horror references to keep the topics entertaining.) He has taught hacking classes and presented research at security conferences around the world. His latest book is "Hacking Web Applications".

Links:

• https://www.blackhat.com/us-13/archives.html#Shema
• https://infocon.org/cons/Black Hat/Black Hat USA/Black Hat USA 2013/video/Black Hat 2013 - Dissecting CSRF Attacks and Countermeasures.mp4
• https://www.youtube.com/watch?v=JUY4DQZ02o4

Similar Presentations:

• ToorCon San Diego 18 (2016) / CSRF in the Modern Age: Sidestepping the CORS Standard
• DEF CON 25 (2017) / Wiping out CSRF
• ToorCon San Diego 18 (2016) / The Subtleties of Bypassing the Same-Origin Policy and Exploiting Cross-Site Request Forgery