23C3 - 1.5

23rd Chaos Communication Congress
Who can you trust?

Justus Winter
Martin Johns
Day 4
Room Saal 3
Start time 11:30
Duration 01:00
ID 1560
Event type Lecture
Track Hacking
Language English

CSRF, the Intranet and You

Causes, Attacks and Countermeasures

A detailed introduction to Cross Site Request Forgery. This talk presents the fundamental cause of this vulnerability class and examples of potential attack consequences. The second half of the talk is devoted to avoiding and countering CSRF: Implementing CSRF proof session handling, transparent retrofitting of legacy applications and methods for client side protection.

Cross Site Request Forgery (CSRF, a.k.a. Session Riding) attacks are public at least since 2001. However this class of web application vulnerabilities is rather obscure compared to attack vectors like Cross Site Scripting or SQL Injection. As the trend towards web applications continues and an increasing number of local programs and appliances like firewalls rely on web based frontends, the attack surface for CSRF grows continuously.

While being is some cases as dangerous as e.g. Cross Site Scripting, CSRF vulnerabilities are often regarded as negligible. Moreover, this vulnerability class is often simply unknown to some web application developers. Many misconceptions on countering CSRF exist because of this obscurity. The talk will not only show how to avoid XSRF but also how NOT to do it. Furthermore, most presentations on CSRF only address attacks on cookie based session management. This talk will also cover attacks on http authentication, client side SSL and IP/Mac based access control.

CSRF is an attack that targets the user rather than the web application. As long as web applications do not take measures to protect their users against this threat, it is important to investigate possibilities to implement client side mechanisms. This talk will cover a new anti-CSRF Firefox Extension, which is currently under development as well as "RequestRodeo" - a client side proxy, which was, to the best of our knowledge, the first client-side solution for protection against XSRF attacks.

Attached files