JavaScript isn't enabled in your browser, so this file can't be opened. Enable and reload.

1 of 22

Web Security II

2 of 22

Outline

Session fixation
CSRF
Defenses

3 of 22

Outline

Session fixation
CSRF
Defenses

4 of 22

Session fixation attack. Allows attacker to hijack unsuspecting user's session.

Example: bank.com/billpay?session=42

5 of 22

No!

That tuple is not even random enough to begin with
Even if it was, session hijacking still possible

Better approach:

Generate cookie values randomly upon logging into the website. Do not allow for setting cookie through URL params.

6 of 22

Outline

Session fixation
CSRF
Defenses

7 of 22

Outline

Session fixation
CSRF
Defenses

8 of 22

CSRF

Cross-site request forgery is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated.

Example:

9 of 22

Alice fills out the form on patsy-bank.com.
When she clicks submit, the information she entered into the form is converted into parameters in an HTTP GET.
Alice's browser will then bundle the cookies for patsy-bank.com and send them along with the GET to patsy-bank.com's server.
The server will then check the validity of Alice's cookie before processing the request.

10 of 22

The img causes the browser to make the request with the patsy-bank cookie. If Alice's cookie was still valid, she would pay Mallory $1000.

11 of 22

12 of 22

Outline

Session fixation
CSRF
Defenses

13 of 22

CSRF Defenses

CSRF tokens

Unique (per user per session) randomly generated tokens embedded in web page
If token doesn't match, don't process request
Takes a lot of state

Referer validation

Look at referer header and don't process if it isn't a trusted website
Privacy concerns
What if no referer header?

But do these work in practice?

14 of 22

Top web vulnerabilities

"But do these work in practice?"

Yes!

15 of 22

Other CSRF defenses

Bring the user into the loop!

Re-authenticate for security-sensitive functions
Confirmation dialogue with one-time token
CAPTCHAs

16 of 22

Reflected XSS

Steal the CSRF token and submit a request!

Email it to him!

17 of 22

One document is allowed to access another if they have both set document.domain to the same value, indicating their intent to cooperate, or neither has set document.domain and the domains in the URLs are the same.

18 of 22

T-Mobile Austria!

19 of 22

Exhibit A

20 of 22

Exhibit B

21 of 22

Exhibit C

22 of 22

Exhibit D