Author ID: The reason for recording this lesson was the food on our forum, which sounded like an offensive rank - how to protect a site from CSRF attacks? Zvichayno mi vіdrazu vіdpovіli on tsyu topic and brought a small algorithm for the implementation of the mechanism of defense. Ale oskіlki, svidshe for everything, read the forum, far from all our readers, I have written down the last lesson from the food.
I would like to point out that the streaming video will not have a completely ready solution, so you can go to the necessary site. Therefore, you will have a website with a unique logical structure, which means that it is not similar to others, and it means that it is impossible to create a ready-made script for you, accessing absolutely all possible options for implementation.
This is not necessary, because the essence of the mechanism of attack is simple, and in the streaming video on the butt of the test site you can tell how it is possible to defend against the indicated type of attack, and then, on the basis of taking away knowledge, you will test similar sketches on the power project. Father, let's get started.
CSRF is an abbreviation adopted by the English words Cross-Site Request Forgery, which means cross-site requests. The Danish term was introduced long ago in 2001 by Peter Watkins, but you can also talk about the possibility of attacks of this kind starting back in 1988. With all due respect, enough time has passed already, but all the same, more websites are being attacked on the Internet. Again blame the food - why so? It's simple to do this, and it's because the inconsistency before CSRF attacks is not a pardon to the program code, but a legacy of the browser and web server's great work.
The essence of the attack lies in the fact that the attacker can visit an unprotected site in the name of another registered koristuvach. In other words, this type of attack is transmitted to the malicious site of the attacker, which in his line of work leads to the fact that it is unremarkable for the new one to be violating the deeds registered on the other site, or on the service, on which the root of the authorizations.
In this case, as a rule, the method of CSRF attacks is various interactive Web add-ons, which are used to target specific activities, for example, services for sending electronic mail, various forums, payment systems, etc. Therefore, a hacker can fix deaks in the names of other coristuvachs - to overpower them, add new appearances to the record, and improve financial operations just fine.
Now let's take a look at the intended attack on the application of the test site.
Let's assume that there is a website that should be set up to overpower the electronic notification for the specified address in the name of an authorized correspondent. Tobto on the head side we bachima a form for overstrengthening. More than that, there is a transfer of the mechanism for redirection, when transferring the same parameters via GET request (just for the sake of it). With whom, the authorization side looks like this.
This page is completely significant, but the check-box "Member" falls into the eyes, which is chosen to save authorization in browser cookies. Vlasne, this mechanism is more convenient for koristuvachs, who will be easier to re-access to the side, but there is no problem from the point of view of safety. But all the same, for the sake of vodvіduvachiv, you often have to go to the same deeds.
The code for overpowering the two methods (GET and POST) looks something like this:
//Support power if($this->isGet() && !empty($_GET["email"])) ( $body = "Hello this is message form - ".$this->user["name"]; $body .= " Content - from GET - ".$_GET["content"]."From - ".$_GET["email"]; mail(" [email protected]","New message",$body); ) if($this->isPost()) ( $body = "Hello this is message form - ".$this->user["name"]; $body .= " Content - FROM POST - ".$_POST["content"]."From - ".$_POST["email"]; mail(" [email protected]","New message",$body); )
//Editing the notification if ($ this -> isGet () && ! empty ($ _GET [ "email" ] ) ) ( $body=. $this -> user["name"]; $body. = " Content - from GET - " . $_GET["content"]. From-. $_GET["email"]; if ($ this -> isPost() ) ( $body= "Hello this is message form -". $this -> user["name"]; $body. = "Content-FROM POST-". $_POST["content"]. From-. $_POST["email"]; mail(" [email protected]" , " New message " , $ body ) ; |
Now we look at another site - a hacker site.
On which wine you can spread, do a simple, but even more efficient code, it is necessary to attack the GET request:
< img src = "http://localhost/csrf/ [email protected]&content=Hello world"> |
Tobto, in fact, mi bachimo the img tag, in the src attribute of some path to the site, which is transferred for the attack, with a set of necessary parameters, for targeting a specific mission. Our way of doing this has been updated, which means that now it’s enough for the attacker to lure the coristuvach to the current site and invariably see it, it will be possible to ask the site to click, so that the browser will be able to capture the image, going to some indication in the src attribute. If we keep in mind that data is stored in the browser cookies for authorization and, obviously, the addition of once again and again the higher values will be successfully processed by the server. And tse means that a reminder will be sent in the name of the koristuvach.
If you marvel at the typing of headers, if they are superseded at once from the request, then effectively, we can use cookies, with data to enter the physical record, which by itself means - as it was said more, that the password will be accepted as authentication of the coristuvach.
The situation is exactly the same when I am editing the request using the POST method, and once in a while the attacker will create a form on his site, so that he can automatically correct it for additional JavaScript, just like visiting this site.
In such a way, it is necessary to defend against similar attacks, and the only most effective way to defend is the use of special tokens.
Zahisny token is a sequence, which is generated in a vipadical manner under a specific coristuvach and is transmitted in the skin, which transfers the change of data. The Crimean token is also saved in the session. In such a rank, the essence of zahistu, is to lead to a simple re-verification of the identity of the token, which is transferred from the request, that token, which is saved from the session. If the offense of the token is identical, it will ask for the authorizations of the coristuvach. For example, the tokens do not run, but in the wake of it there is no fire - with great confidence one can judge that an attack is coming, and also, none of them can be beaten.
Respect that it is necessary to protect absolutely all the waters, directed to change, or to win the songs.
Vlasne, at this stage the text part of the lesson is completed and continue to speak the submissions to those already in the video version. In any case, we can look at the ways to generate tokens and it is practical to implement the zahistu algorithm, which has more descriptions. And now let's say goodbye. Far coding!
Cross-Site Request Forgery - a lot of noise through nothing
Alexander Antipov
In the rest of the hour, a “new” type of contention is being widely discussed among the facsimiles of fahivtsiv with the security of Web add-ons, which is called Cross-Site Request Forgery (CSRF or XSRF). Proponovano to the respect of the reader, the article is to avenge the description of the inconsistencies, the methods of yogo vikoristannya and the main ones are like a zakhist.
Sergiy Proud
Gordey @ ptsecurity com
In the rest of the hour, a “new” type of contention is being widely discussed among the facsimiles of fahivtsiv with the security of Web add-ons, which is called Cross-Site Request Forgery (CSRF or XSRF). Proponovano to the respect of the reader, the article is to avenge the description of the inconsistencies, the methods of yogo vikoristannya and the main ones are like a zakhist. The globally accepted Russian term for Cross-Site Request Forgery has not yet been seen, in the link for which the author propagates the variant "HTTP Request Forgery".
Lyric entry
Nasampered, I would like to chime in on the main pardons of pov'yazanih from CSRF:
1. HTTP query request - a new type of inquisitiveness.
Tse not so. Theoretical reflections on the subject of dzherel dating back to 1988 rock (http://www.cis.upenn.edu/~KeyKOS/ConfusedDeputy.html), and practical applications of inconsistencies are discussed by Bugtraq as at least 2000 rock (http://www.zope .org/Members/jim/ZopeSecurity/ClientSideTrojan). The term itself was approved by Peter Watkins (http://www.securiteam.com/securitynews/5FP0C204KE.html) in 2001 roci.
2. CSRF is a variant of Cross-Site Vision Scripting (XSS).
The only similarity between CSRF and XSS is the same as the attack vector for Web add-on clients (Client-Side Attack in WASC terminology http://www.webappsec.org/projects/threat/). CSRF-type quirks can be exploited in combination with XSS or "redirectors" (http://www..php), aka the quirks class.
3. The CSRF contention is not wide enough, but it is rather foldable in the vikoristan.
The data collected by Positive Technologies in the course of penetration testing and security assessments of Web add-ons show that the majority of Web add-ons are susceptible to penetration. For some other quirks, CSRF is not blamed for programming pardons, but for the normal behavior of the Web server and the browser. Tobto. more sites that win the standard architecture, different "for locks".
Butt vikoristannya
Let's take a look at the CSRF hack in a nutshell. Let's say, there is a simple Web-addendum, which overpowers the email notification. The correspondent enters the e-mail address and the notification text, presses the Submit button and the notification of the address is sent to the owner.
Mal. 1. Strengthening support
The scheme is familiar with rich sites and does not call out any other lists. Prote was provided with a program with great agility for attacking "HTTP request". For exploitation, the attacker can create a page on his site, so as to avenge the message on the “image”, after which he should tell the coristuvach to go to his site for the message (for example, http://bh.ptsecurity.ru/xcheck/csrf.htm).
When you turn to the side, the browser of the coristuvach tries to capture the image, now it turns to a squishy addendum, tobto. enforce the electronic mail to the order indicated in the "to" field.
Mal. 2. CSRF attack
Please note that the browser of your browser has found a cookie value on the site. you will be asked to take it as a vih_dniy from an authenticated coristuvach. In order to zmusity koristuvach zavantazhit side, as an overpowered zap to the irritating server, the attacker can vikoristovuvat methods of social engineering, as well as technical inconsistencies, such as XSS and pardon in the implementation of the redirection function.
Mal. 3. CSRF robot logic
In this way, the CSRF hack attack attacks the hacker's browser hack to transfer HTTP requests to certain sites, and the variance - without reverifying the HTTP request. Guidance at the butt addendum vikoristova HTTP-method GET for transferring parameters that will make life easier for the attacker. However, it is not safe to think that the POST method automatically determines the possibility of carrying out attacks from the HTTP request. Storinka on the attacker's server may be ready to prepare an HTML form, as it is automatically enforced every hour when the side is reviewed.
In order to exploit CSRF, the attacker does not need the language of his own Web server. The party that initiated the request may be sent by electronic mail or in some other way.
Looking back at Billy Hoffman, a variety of methods and merging interactions for the help of Javascript were introduced. All stinks, including XmlHttxmpquest (in some situations), can be used for CSRF attacks.
I am sure that at the same time, readers have already understood the main features of CSRF and XSS. In XSS, the attacker denies the ability to access the DOM (Document Object Model) on both sides, both for reading and for writing. When CSRF is disabled, the attacker can send a request to the server for the additional browser of the browser, or take and analyze the server's response, and then a larger header (for example, Cookie) is no longer possible. Obviously, "HTTP-requests" allows you to work with an add-on in the "only for recording" mode, which, in fact, is enough for the execution of real attacks.
The main targets of CSRF attacks are various interactive Web programs, for example, email systems, forums, CMS, and remote control interfaces. For example, the attacker can override the names of other correspondents, add new appearances of the record, or change the settings of the router through the Web interface.
Mal. 4. Application of CSRF exploitation in the forum
Let's make a report on the rest of the change on the lining of the fenced outbuildings. The author is already advanced to the systems of manifestation of dartless attacks, but naturally, they are not surrounded by them on the right.
Penetrating the perimeter
In the past year, Symantec published an announcement about a "new" attack called "Drive-By Pharming", which, in fact, is a variant of CSRF exploitation. The attacker sees a "charming" JavaScript in the browser that changes the settings of the router, for example, that sets a new DNS server value. For vikonannya tsієї attacks it is necessary to virіshit such a task:
Port scanning for JavaScript help;
Assigned to the type of Web program (fingerprint);
Password pickup and authentication with CSRF help;
Change of node parameters for additional CSRF attack.
The technique of scanning for the availability of a Web server of this type, with the help of JavaScript, is done well and led to a dynamic creation of HTML objects (for example, img src=), which are displayed on various internal URLs (for example, http://192.168.0.1 /pageerror).gif). If the “picture” was successfully captured, then the Web server based on Microsoft IIS was sent to the address that was being tested. As soon as the pardon 404 was canceled, the port was allowed to work on the new Web server. At the time of time shifting - the server is open at the border or the blocking port on the border screen. Well, in other situations - the port is closed, but the host is available (the server turning the RST packet and the browser turning the pardon before the end of the timeout). In some situations like this, port scanning from the browser can be done without JavaScript (http://jeremiahgrossman.blogspot.com/2006/11/browser-port-scanning-without.html).
After the designation of the type I will add, the attacker can try to change the browser of the coristuvacha and immediately ask for a change in the installation. However, such a request will be more successful in the future, as the browser of the browser can already have an actively authenticated session with the extension. Mati, under the hand, opened the side of the router control - the filthy sign of the rich “sticking out” coristuvachiv.
Since there is no active session with the control interface, the attacker needs to go through authentication. Since the extension has implemented authentication based on forms, there are no daily problems. With CSRF at POST, the server is forced to ask for authorization, after which the image (or the side) is available only to authenticated koristuvachs. If the image was taken away, then the authentication was successful, and you can proceed to further steps, otherwise, we try another password.
In the case, as in the annex, which is being attacked, authentication is implemented behind the Basic method, the task is complicated. The Internet Explorer browser does not allow you to enter your password in the URL (for example, http://user: [email protected]). In connection with the CIM for Basic-authentication, you can use the method from adding HTTP headers for Flash help, descriptions in the article. However, this method is only suitable for older versions of Flash, as it is more common.
Other browsers, for example Firefox, give you the ability to show your password in the URL, and you can try to authenticate to any server, and you can do it without having to ask for a pardon if you choose an incorrect password.
An example of a scenario for "quiet" authentication using the Basic method, hovered below from Stefan Esser's blog.
Firefox HTTP Auth Bruteforcing
Mal. 5. Firefox Basic Authentication
The corporate environment, in most cases, uses SSO mechanisms, for example, based on the Active Directory domain, Kerberos and NTLM protocols, the operation of CSRF does not require additional data. The browser will automatically authenticate in the security context of the streaming browser.
After the authentication has been passed, the attacker sends a query to the help of JavaScript, which changes the setting of the router, for example, to the address of the DNS server.
Metodi Zachistu
The first thing to think about, if you want to talk about the CSRF attack, is to re-check the meaning of the Referer header. First of all, the shards of HTTP-request help in transferring the request from a third site, control of the exit side, whose addresses are automatically added by the browser to the headers of the request, may solve the problem.
However, this mechanism may be slightly short-lived. In a first way - before the retailer, put the power of the request, like a Referer header like this. Many people from personal intermediary screens and anonymous proxy servers view Referer as a potentially unsafe header. Obviously, as the server ignores similar requests, the group of the most “paranoidally” aggravated hulks cannot work with him.
On the other hand, in certain situations, the Referer heading can be updated, for example, for the help of an already conceived Flash trick. As a rule of thumb in IE 6.0, instead of the header, there may be modifications for some pardons in the implementation of XmlHttxmpquest. The variability of the variability of the variety of symbols will change the row to the name of the HTTP method, which allows you to change the headers and bring in the additional request. This inconsistency was revealed by Amit Clein () in 2005 roci and reopened in 2007. The exchange of this method is those that only work differently between the presence of an HTTP-Proxy server or a server hosted on the same IP address, different domain names.
Another extension method is to add a unique parameter to the skin request, which is then checked by the server. The parameter can be added to the URL when using the GET request as an example, or as a captured form parameter, when using the POST request. The value of the parameter may be sufficient, smut, so that the attacker could not immediately transfer, for example, the value of the session of the coristuvacha.
Mal. 6. CSRF protection from Bitrix
To easily add the CSRF verification function to your program, you can speed it up with the following approach:
1. Add to the skin side, which is generated, a small JavaScript, which adds to all forms an additional attachment parameter, to which the Cookie value is assigned.
2. Verify on the server, which is passed by the client for the help of the POST method, to store a value that is equal to the current Cookie value.
An example of such a client scenario is given below:
A further development of this approach is saving the session identifier over the Cookie, and the role of the attached form parameter (for example, VIEWSTATE).
As a method of countering CSRF, different versions of Turing tests can be tested, for example, well known to all images - CAPTCHA. The second popular option is the need to enter the password of the koristuvach when changing critical settings.
Mal. 7. CSRF protection from mail.ru
In this way, Cross-Site Request Forgery is an attack directed at the client by Web-programs and a flawed misrepresentation of the HTTP request. In order to defend against such attacks, additional control of the query can be set based on the Referer header or the additional "vipadkovy" parameter.
Sergiy Gordiychik works as a system architect of the company Positive Technologies, he specializes in power supply security of additives, security of wireless and mobile technologies. The author is also a leading retailer of the courses “Safety of dart-free merezh”, “Analysis and assessment of the security of Web-additions” of the head center “Informzakhist”. Having published dozens of articles in "Windows IT Pro/RE", SecurityLab and others. Member of the Web Application Security Consortium (WASC) projects.
ASP.NET MVC is not the hype itself, but rather the popular stack of web retailers. From the perspective of an (anti) hacker, this standard functionality gives you some basic security level, but for the sake of intimidating the absolute majority of hacker tricks, you need additional security. At this article, we can see the basics, it’s the responsibility of knowing about the security of the ASP.NET retailer (such as Core, MVC, MVC Razor or Web Forms).
Let's take a look at the known types of attacks.
SQL Injection
It’s not surprising, but in 2017, the role of injection i, zokrema, SQL injection is in the first place among the “Top 10 OWASP security risks” (Open Web Application Security Project). This type of attack is possible on the Internet, since the introduction of corysteve data is victorious on the server side as parameters for the request.
The butt of the classic SQL-іn'єktsії is rather typical for the Web Forms programs. The types of attacks help to protect the use of parameters as the value of the request:
String commandText = "UPDATE Users SET Status = 1 WHERE CustomerID = @ID;"; SqlCommand command = new SqlCommand(commandText, connectionString); command.Parameters["@ID"].Value = customerID;
Whenever you expand an MVC program, the Entity Framework hides some inconsistencies. Take a look at the SQL injection that you put into the MVC / EF addendum, you need to be smart. However, it's possible that you're typing the SQL code behind the help of ExecuteQuery, or that you're calling badly written procedures that are being saved.
Irrespective of those that ORM allows SQL-іn'єktsії to be unique (for a little more reason), it is recommended to encircle value attributes, which can add model fields, and therefore, form. For example, as it is difficult to understand, if the field can only have text inputs, then for the help of Regex, enter the range ^+$ . And if the numbers can be entered in the field, then tell me how we can:
Public string Zip (get; set;)
With Web Forms, you can change values with the help of validators. Butt:
Starting with .NET 4.5 Web Forms hack Unobtrusive Validation. And tse means that it is not necessary to write any additional code to recheck the value of the form.
Validation of data, zocrema, can help to protect it in another way, under the name of cross-site scripting (XSS).
XSS
A typical example of XSS is to add a script to the comments or an entry in the guest book. You can view the vin like this:
As you know, for which application cookies from your site are transmitted as a parameter to which hacker resource.
With Web Forms, you can pardon for help with something like this code:
Vibachte<%= username %>, but pardon password
I realized that the username can be replaced by a script. To hide the script, you can at least mark other ASP.NET-viruses: , How to encode your own.
As far as Razor wins, the rows are automatically encoded so that the XSS implementation can be reduced to a minimum - a hacker can turn it around, if only you could be rude, for example @Html.Raw(Model.username) or custom string.
For additional XSS input, the data is encoded with another C# code. In .NET Core, you can hack encoders from the System.Text.Encodings.Web namespace: HtmlEncoder, JavaScriptEncoder, and UrlEncoder.
Stepping butt turn row