Threat Modeling for CSRF Attacks - IEEE Xplore

5 downloads 3204 Views 399KB Size Report
vulnerabilities of the Open Web Application Security Project. (OWASP). In this paper, we explore the CSRF vulnerabilities, illustrate the real-world CSRF attack, ...
2009 International Conference on Computational Science and Engineering

Threat Modeling for CSRF Attacks Xiaoli Lin, Pavol Zavarsky, Ron Ruhl, Dale Lindskog Department of Information Systems Security Management Concordia University College of Alberta 7128 Ada Boulevard, Edmonton, AB T5B 4E4, Canada http://infosec.concordia.ab.ca unauthorized actions such as post/delete data on a forum, change the user’s profile, etc. Such attacks are difficult to detect, and remediation tends to be possible only after the incidents.

Abstract---Cross-Site Request Forgery (CSRF) vulnerability is extremely widespread and one of the top ten Web application vulnerabilities of the Open Web Application Security Project (OWASP). In this paper, we explore the CSRF vulnerabilities, illustrate the real-world CSRF attack, and present novel CSRF attack tree models. The threat models provide for exploring, understanding, and validating security protection features in realistic web application scenarios.

This is the difficulty for detection and prevention of CSRF attacks. As Jeremiah pointed out [6]: “To Web servers, one request looks more or less just like another. The unintended request is legitimate (not hacked up), the user is the right user (authenticated), and the request is being made directly to the real Web site (no man-in-themiddle). The only problem is the victim did not intend to make the request, but the Web server does not know that. And the scary part is the vast majority of Web sites are vulnerable with users having very little ability to defend themselves against CSRF”.

Keywords: OWASP, Cross-Site Request Forgery, threat model, attack tree

1.

INTRODUCTION

Cross-Site Request Forgery (CSRF) 1 is an attack against Web application users in which an adversary causes a victim’s browser to perform an unwanted action on a trusted website via a malicious link or other content. It is not a new Web application attack. Early in 1988 Norm Hardy discovered this application level trust issue and called it confused deputy [1]. It has appeared in the OWASP top 10 Web application threats [2].

However, if we can understand all the steps in which Web applications are attacked via CSRF attacks, we can design countermeasures to thwart it. Moreover, if we can know who the attackers are, and what they want – their goals, motivations and abilities – maybe we can educate users to protect themselves from CSRF attacks. What we need is a way to model CSRF threats against Web applications and their users. CSRF threat modeling is blank on the CSRF column of OWASP [7]. This is an area in which limited research has been done.

CSRF is a vulnerability which works like the Web works, due to the fact that a CSRF attack occurs when loading HTML elements or JavaScript code into a victim’s browser that generates a legitimate HTTP request to a target website [3]. Typically, today’s websites implement cookies to identify authenticated users. After the user is successfully authenticated by the Web server, the browser will get an identity login cookie to remember the logged-in status. Later, when the user is visiting the Web pages of the target Website, the browser will automatically put the identity login cookie in the request. This will not be removed until the browser is closed or the user logged out. The adversary is able to abuse this duration to make the user’s browser perform some actions that the user probably does not want.

Therefore, the objective of this paper is to create a threat model and present a tree-based attack analysis of CSRF attacks from an adversary’s perspective to help CSRF researchers to design CSRF defenses. Because there are different mechanisms to deliver CSRF code to execute to a victim’s browser, CSRF attacks are divided in two major categories: reflected and stored [7]. Stored CSRF is when the attacker gets the CSRF to be executed within the domain of the targeted websites, while the reflected CSRF is when the attack is triggered from a different domain [5].

More than 200 cases of CSRF vulnerabilities against various real world Web applications have been discovered and published on NVD (National Vulnerability Database) [5]. Among those cases, CSRF attacks were used to modify system configurations, create super administrator accounts or perform

The following is the analysis for the compromised Web applications and the graphic representation results. Figure 1 and 2 show the proportion of reflected and stored CSRF attacks and the CSRF vulnerability categories percentage. After reviewing all the CSRF attacks published on the NVD until March 2009, we found that more than half of the Web applications suffered from reflected CSRF attacks.

 1

Cross-Site Request Forgery attacks are also known as Cross-Site Reference Forgery, XSRF, one-click attack or session riding, hostile linking and confused deputy attacks. The CSRF name was given by Peter Watkins in a June 2001 posting to the Bugtraq mailing list [4].

978-0-7695-3823-5/09 $26.00 © 2009 IEEE DOI 10.1109/CSE.2009.372

Figure 1 shows the proportion of CSRF attacks categories.

486

During the process of launching a CSRF attack, the attacker will first review the key functionality within the target Web application, which can be done easily via manual browsing and Web spidering. Various tools exist, which perform automated spidering of websites. Free tools such as Paros, Burp Spider and WebSarab are available on the Internet and can be used efficiently to enumerate application content and functionality. Secondly, the attacker needs to find an application function that can be used to perform some sensitive action on behalf of an unsuspecting user and employs request parameters which an attacker can fully determine in advance. This can be done via using network sniffing tools such as Wireshark to capture and analyze the packets between the client and the server and screening HTML source of Web pages that contain links or buttons that perform interesting actions. The next step is to create a malicious link that will execute some interesting functionality such as transfer money, change a password, etc. Afterward, the attacker needs to convince a user that is logged into the target website to click on the malicious link to execute the CSRF attack.

8% StoredCSRF 37%

55%

Reflected CSRF Combination

 Figure 1: CSRF Attacks Categories until March 2009 on NVD As we can see, a huge percentage is attributed to lack of an HTTP request checking. And less than 10 percent of Web applications have input validation error only (commonly referred to exploit XSS attacks). However, the number will rise swiftly to 34% when these two vulnerabilities are used together. Despite that, only less than 5% by-pass the security weak point, this should not be ignored. The security mechanisms contain CSRF protection and some form of an authentication system. This indicated that these security methodologies failed to be used properly. We cannot take it for granted that we are secure for applying the secret CSRF tokens for our websites. The following figure indicates the types and percentages of CSRF vulnerabilities that have been identified.

4.61%

33.86%

For reflected CSRF attacks, the attacker needs to include the malicious link on the attacker’s own website and trick the user to click on the link, or where an XMLHTTPRequest object may automatically execute the attack when a user visits the website. For stored CSRF attacks, the attacker needs to create some posts, which embed the malicious link into the target website, or execute a stored XSS attack on a website where an XMLHTTPRequest object will automatically execute the attack as soon as a user visits the page. This removes the step of convincing a user to click on a link [8].

3.20%

50.52%

LackingofHTTP requestcheck(A) Inputinvalidation error(B) BothA&B

3.

ByͲpassSecurity (C) Others(D)

7.81%

Figure 2: CSRF Vulnerabilities Categories until March 2009 on NVD

To launch a reflected CSRF attack, what the attacker needs to do is just craft a simple link and put it on his malicious web page and lure the victim to click it. This can be done by sending out spam emails. When the victim clicks the malicious link, it will force the victim’s browser to load logout.php. Normally, the victim’s credentials (the session ID) will be sent with the request to logout.php that would logout the victim.

There are different categories of vulnerabilities including HTTP Post handling error, Off-By-One-Error, unrestricted upload attachments and other unknown vectors. In this paper, we will describe the process of CSRF attacks and demonstrate a real-world reflected CSRF attack. By reviewing and analyzing the CSRF attacks that were published on NVD, we will create threat modeling for stored and reflected CSRF attacks and identify the possible vulnerabilities which can be exploited to conduct CSRF attacks. We will also develop attack trees to illustrate how the attackers are able to leverage these weaknesses to achieve their goals. This research may be used as references for the CSRF researchers or Web application security administrators to defend against CSRF attacks. 2.

A REAL WORLD CSRF ATTACK

For the purpose of understanding how CSRF works, we use the kaixin001 network, a popular Chinese Social Network as an example to illustrate the attack. The attack tree will be created and discussed in section 5.2. Kaixin001 network does not apply logout awareness to notify users nor secret validation token to defend against CSRF attacks. By using Websarab, the attackers can easily find if the Web application has a logout.php.

4.

THREAT MODELLING

Threat modelling is a structured activity for identifying and evaluating application threats and vulnerabilities [9]. Perspective may be adversarial or defensive. From the defensive perspective, the goals are identify probable vulnerabilities, remove as many of the vulnerabilities as possible and employ countermeasures to reduce the attack risk. From the perspective of adversaries, the targets are identify holes and vulnerabilities and exploit them to gain access to the objective.

THE PROCESS OF CSRF ATTACKS

487

We mainly applied the attacker-centric methodology to design CSRF threat modeling, from the adversarial perspective to analyze attackers’ goals, abilities and motivations.

discussed later during Level-1 DFD of authenticated operations. After identifying the vulnerabilities, the attacker needs to do some experiments to verify the effectiveness of the malicious actions. As soon as it passes the examination, the attacker creates the malicious link and convinces the user to click to execute the CSRF attack.

The goals vary according to the CSRF attacker’s different harmful motivations. Based on the CSRF incidents published on NVD, they have been classified into three major categories. The first one is attacking and challenging for which the attackers’ main objective might be building up cornerstones for other destructive attacks such as SQL Injection and DoS. Alternatively, it could be challenging their hacking skills and revealing the Web applications vulnerabilities to show their abilities. The objects of this drive can also take action as administrator to change users’ password, modify firewall settings and alter appliance preference, or create a super administrator account directly. These types of attackers could be professional or amateurs who are sophisticated hackers.

Data flow diagram (DFD) elements:

The second one is for pure entertainment. The purposes of this sort of inspiration can be changing victim’s preferences, making the attacker famous and wanting to make more new friends via CSRF attacks. People who conduct CSRF attacks for this motivation might be lonely; or they are possibly amateurs practicing their skills. The third one is for money and this type of attackers are motivated by commercial profit. Pursuit of financial profit is clearly the main and final goal of this type of attacker. The aim of making use of CSRF attacks to post advertisement for products or even transferring money directly from a victim’s account. These are experts who might live on such activity. Refer to the analysis of threats that Adam.B and Collin.J discussed in Robust Defenses for Cross-Site Request Forgery; we quote two among the three threats in terms of the type of vulnerability that be exploited: Forum Posters who become CSRF attackers when they were using stored CSRF vulnerabilities on the target website to launch CSRF attacks; Web attackers who take advantage of reflected CSRF weaknesses to achieve their objectives [10]. The detail of stored and reflected CSRF vulnerabilities will be discussed in subsections.

 Figure 3: Level-0 DFD of attacker to explore target website Figure 4 shows the victim is attacked when he/she is clicking the link or reviewing the malicious posts, which forces the victim’s browser to submit a malicious request on the victim’s behalf. The numbers indicate the steps of a user surfing a website and step 9 is where the attack happened. There are vulnerabilities in step 9, which we talk about in the reflected CSRF. At the authenticated user boundary, there may be unrestricted authentication area weakness, where the attackers may access the logged-in users.

4.1

Threat Modelling of Stored CSRF Attacks After discussing the attackers’ goals and motivations, we will now talk about how they achieve them. The following diagrams are the threat modelling of stored CSRF attacks that illustrate the vulnerabilities that can be exploited by adversaries. Figures 3 and 4 depict the level-0 Data Flow Diagram (DFD) of stored CSRF attacks and figures 5 to 7 show the level-1 DFD of the login process and authentication operations.

Figure 5 describes the login process if the target website uses session cookies as authenticated methods that will be vulnerable to CSRF attacks. The target website might have insufficient session expiration weakness that could allow an attacker to reuse old session credentials or session IDs for authorization. In addition, external control of critical state data vulnerability may exist in the target website application in which the attacker can modify the state information without detection.

First of all, the attacker needs to explore the target website to determine the functionality that might be of some benefit for him (e.g. financial transaction). The attacker will require a legal user account on the target website. Figure 3 depicts the processes of this and the numbers show the steps of the navigation. The weaknesses exist in step 5 to 8 which will be

Figure 6 displays the DFD of user conduct authentication operations such as review the post and create their own content on the target website. One of the typical applets in

488

Web 2.0 applications allows users to create and customize their own content, such as blogs, forums and social network sites. These features make the Web applications vulnerable to input validation error, which can be exploited to conduct CSRF attacks and execute a command and change data saved on the server, for example, victims’ preferences.

Figure 6: Level-1 DFD of authentication operations

 Figure 4: Level-0 DFD of users are attacked

Figure 7 depicts CSRF attacks happening when the victim is reviewing the malicious posts that embed a malicious link. The target Web application fails to effectively sanitize usersupplied data before being return to user. This can cause executing arbitrary HTML or script code in a victim’s browser. This flaw usually exists in step 4 when the target website does not apply data hygiene.

Figure 7: DFD of user is attacked Figure 5: Level-1DFD of login process Incorrect security restrictions on the scripts is another weakness that might exist in these Web applications. Attackers could abuse the restrictions to upload malicious scripts such as plant CSRF worms to the target Web server, although certain server configurations are required for successful exploitation of this security issue. Lacking the restriction to upload attachments is an additional fault in the Web 2.0 applications which can be used to upload malicious HTML or JavaScript attachments. If the target website is using the same domain name as the rest of applications for these malicious attachments, then the attackers are able to access the users’ cookies and perform other restricted actions. Another property of current Web applications is using highly predictable URL structure [7], especially the target Web application employing user-controllable Web parameters. If that is the case, attackers could have enough required information to craft a malicious link. Hence, if the target website is vulnerable to the vulnerabilities mentioned above in steps 5 and 6, attackers will have high opportunity to conduct CSRF attacks.

4.2

Threat Model of Reflected CSRF Attacks

As mentioned above, the difference between stored and reflected CSRF attacks is the delivery mechanism of the CSRF code. One is executed in the target website domain, while another is triggered from a different domain. Basically, both require knowing the target website’s functionality which can be exploited as previously described. This time, the attacker created the malicious link and put it on his own website. What he needs next is to lure the victim to visit his crafted website. The technique to attract the innocent user to navigate a malicious Web site controlled by the attacker is already well explicit by fraudsters, carrying out phishing attacks or sending spam emails embedding a simple dangerous function link. The CSRF attacks occurred for the target website failed to perform sufficiently and legitimately check to verify the source of HTTP requests. Other vulnerabilities may exist in Web applications that can be leveraged to conduct CSRF attacks such as HTTP POST handling error and Off-By-One-Error (OBOE). Attackers can make use of the error in the handling HTTP POST requests to convert POST requests into GET requests. Off-By-One-Error often occurs in computer programming when an iterative loop iterates one time, too many or too few

489

[11]. This can be exploited to potentially execute arbitrary code via overly long content.

5.2

Attack tree to force user logout by Reflected CSRF attack This part will present how an attacker conducts a reflected CSRF attack to force the user logout and the attack tree can be created in Figure 10. For this attack to become a real exploit, there should be a victim who logged in the target website or was automatically logged-in (1.2); or there is an unrestricted authentication area weakness (1.1). The attacker then needs to trick the user to browser his/her website luring the user to click the URL of crafted (1.3).

Figure 8 shows how data flow between the components during reflected CSRF attacks.

The attacker still has the need of constructing a malicious link (1.3.1), which requires the attacker to have the knowledge of certain piece of functionality for the target website that he is interested in. To gain that information, the adversary can register a legitimate user account and navigate the target website and use some Web application review tools such as Webscarab, Burp and a network sniffing tool like Wireshark to analyze the information exchanged between the client browser and the target Web server. For this example, the attacker is able to find the target Web application has predictable valid request parameter (1.3.1.1) and URL structure (1.3.1.2). Especially the target Web application has user-controllable Web parameters (1.3.1.2.1), but this is not the necessary vulnerability for conducting a reflected CSRF attack.

Figure 8: DFD model of reflected CSRF attacks 5.

ATTACK TREE MODEL OF CSRF ATTACKS

An attack tree is a tree structure with the attacker’s goal placed in the root node and different ways of achieving that goal as leaf nodes. Attack trees provide a formal, methodical way of describing the security of systems, based on varying attacks [9], [12]. For example, the attacker can force the victim to logout via stored CSRF attacks. The attack tree for this attack vector is shown in Figure 9.

Then he can make use of the gathered information to create the malicious link. As pointed out before, it is extremely easy to trick the victim to visit the attacker’s by conducting phishing attacks (1.3.2) or sending out spam e-mails including malicious URLs (1.3.3).

5.1

Attack tree to force user logout by stored CSRF attack The goal of this attack is to force the victim to logout via the stored CSRF attacks. To achieve this, the victim must log in the target website or automatically logged-in (1.1); or there is an unrestricted authentication area weakness (1.2) otherwise the attacker needs to steal the user’s session tokens, which will be discussed explicitly during the by-pass CSRF discussion. For the user logged in to the target website, the target Web application relies on session cookies (1.1.1) as its authentication mechanism or sessions that did not expire properly (1.1.2 - insufficient session expiration). It also requires that the user reviews the malicious post (1.3) which embedded malicious link submitted by the attacker in advance and stored in the target website.

5.3

Mitigations This section will discuss the mitigation that can be used to reduce the vulnerabilities identified above. The developers could set session expiration date to protect against ongoing replaying of the session ID. Employ security tokens or twofactor authentication methods for the sensitive transactions against CSRF attacks. Restrict upload attachments by formatting the file extension type and size. Apply input/output filtering to against input validation errors. Employ Accept known good and sanitization input handling approaches to effectively sanitize user supplied data and ensure that the processing that is performed on it is inherently safe.[11] Employ nonce in URL/Form to prevent the attackers from predictable valid request parameters and use a standard input validation to against external control of assumed-immutable web-parameters vulnerabilities. The target website could educate their users to be aware of phishing and spam mails to prevent CSRF attacks as well.

To achieve this, the attacker can upload attachments including malicious scripts by taking advantage of lacking of restriction to upload attachment (1.3.1) vulnerability. Alternatively, he is able to carry out CSRF attacks in combination with Cross Site Scripting (XSS) (1.3.2). The target website failed to apply input validation checking (1.3.2.1) and security restrictions (1.3.2.2) correctly, which allows the attacker to inject arbitrary HTML and script code that can execute in a user's browser session in the context on the target website.

5.4

By- Pass CSRF protection Even though some Web sites employ secret tokens to protect their users from CSRF attacks, the attacker has the ability to by-pass CSRF protection mechanisms, especially when the target website has insufficient session expiration vulnerability. Because the adversary can use the old cookies, what he could do is steal the user’s session tokens and predict the CSRF random tokens via insufficiently random number weakness [13], or the attacker can leverage the errors within CSRF prevention routine [14].

CSRF attacks can also be conducted without XSS which will be easier for the adversaries do not have to craft the XSS scripts. Instead, they just need to explore the functionality that is interesting for them and then craft a simple malicious Web page including the magic URL. That is the reflected CSRF.

490

There are numerous ways the attacker can take advantage to steal the session tokens. Cross-site scripting is an effective way of stealing session tokens. Capturing the session token of an authenticated user is the most common one used with XSS. Unexpired cookies provide the most convenient, hidden, effective and durable means of exploiting session fixation vulnerabilities [15].The attacker can set a user’s session cookies to a value the attacker controls. The attacker can also use passive network eavesdropping - traffic sniffing to read cookie values (assume it does not use HTTPS) - or the attacker can guess session IDs by brute force if the session ID is low in entropy (say, 32bits or less) what is called cookies guessing [16]. The attacker also has the capability to convert the HTTP Post Request to GET Request despite the target website utilizing HTTP Post method for their sensitive traffic. 6. ACKNOWLEDGEMENT I would like to thank the Department of Service Alberta within the Government of Alberta for their support and encouragement before and during the period of this research paper. The research was also supported in part by the RISTEX program of the Japan Science and Technology Agency (JST). 7.

Figure 10: Attack tree to force uses logout by reflected CSRF attack and mitigations 8.

CONCLUSION

In the paper, we presented the result of our review of more than 200 CSRF attacks documented in the NVD. We also demonstrated a real world reflected CSRF attack and designed two types of CSRF threat models. Additionally, attack trees have been developed to clarify the capability of the adversaries to reach their objectives.The analysis of CSRF attacks and the mitigations will be useful for the future researchers to design the CSRF defenses and mitigation mechanisms.

R. Auger. (2008 April). “The Cross-Site Request Forgery (CSRF/XSRF) FAQ, v1.59”. Available: http://www.cgisecurity.com/csrf-faq.html

[2]

OWASP. (2007). “Top ten most critical web application security vulnerabilities”.Available: http://www.owasp.org/index.php/OWASP_Top_Ten_Project G.Karlebach and A.Shulman. (2007). “Web fraud detection” Imperva, Inc. J. Percival. (2001). “Cross-Site Request Forgery”. Available: http://www.tux.org/~peterw/csrf.txt National Vulnerability Database(2009 March). Available: http://web.nvd.nist.gov/view/vuln/search?execution=e1s2 J. Grossman. (2006, November). “How does a cross-site request forgery work”.Available: http://searchsoftwarequality.techtarget.com/expert/KnowledgebaseAnsw er/0,289625,sid92_gci1230450,00.html R. Cannings, H. Dwivedi & Z. Lackey. (2007). “Hacking Exposed™ Web 2.0: Web 2.0 Security Secrets And Solutions”. McGraw-Hill, chapter 3 p77-78 CAPEC. “Individual CAPEC Dictionary Definition (Release 1.2) (2009 March), Cross Site Request Forgery”. Available: http://capec.mitre.org/data/definitions/62.html O. Tom. (2006, March) “A Practical Approach to Threat Modeling”. Adam.B, Collin.J and John.C (2008 October) “Robust Defenses for Cross-Site Request Forgery” D. Stuttard and M. Pinto. (2007, Oct. 22). “The Web Application Hacker’s Handbook: Discovering and Exploiting Security Flaws”. Wiley, Chapter2 P21-22 & Chapter15p524 B. Schneier. (1999 December). “Attack Trees”, Dr. Dobb's Journal. Available: http://www.schneier.com/paper-attacktrees-ddj-ft.html#rf1 US-CERT. (2008 November). “cross-site request forgery (CSRF) attacks against WordPress 2.6.3.” CVE-2008-5113. Available: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-5113 Secunia, PHProjekt (2007 April) Multiple Vulnerabilities. Available: http://secunia.com/advisories/24509/ M. Kolšek. (2002). “Session Fixation Vulnerability in Web-based Applications Version 1.0”. Available: http://www.acros.si/papers/session_fixation.pdf C. Palmer. (2008 April 28) “Secure Session Management with cookies for Web applications”, iSEC Partners, Inc.

[3] [4] [5] [6]

[7]

[8]

[9] [10] [11]

[12] [13]

Figure 9: Attack tree to force user logout by stored CSRF attack and mitigations

[14] [15]

[16]

491

REFERENCES

[1]