Analysis of CSRF Defenses in Web Frameworks

This study delves into CSRF attacks, a long-standing web vulnerability, and evaluates the effectiveness of CSRF defenses in popular web frameworks. It addresses the lack of knowledge about the security of CSRF defense implementations and their susceptibility to misuse, aiming to enhance understanding and prevention of CSRF attacks in web applications.

• CSRF attacks
• Web frameworks
• Security evaluation
• Vulnerability detection
• Web applications

leatherwood_j Follow

Uploaded on Oct 03, 2024 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

Presentation Transcript

1. Where We Stand (or Fall): An Analysis of CSRF Defenses in Web Frameworks Giancarlo Pellegrino Soheil Khodayari Xhelal Likaj CISPA Helmholtz Center for Information Security CISPA Helmholtz Center for Information Security Saarland University RAID 2021

2. Outline Introduction Problem Statement Methodology CSRF Defenses Threat Modeling Security & Documentation Analysis Developers Feedback Conclusion 2

3. Outline Introduction Problem Statement Methodology CSRF Defenses Threat Modeling Security & Documentation Analysis Developers Feedback Conclusion 3

4. Introduction Cross-Site Request Forgery (CSRF) is among the oldest web vulnerabilities, consistently ranked as one of the top ten threats to web applications. remote code execution user accounts take-over compromise of database integrity How can CSRF attacks be prevented? research community : client-side and server-side defense mechanisms web frameworks : off-the-shelf CSRF defenses 4

5. Introduction most of the previous effort focused largely on : defense mechanisms vulnerability detection To date, we know none-to-little about : the security of the CSRF defense implementations their susceptibility against improper use 5

6. Contributions security evaluation of CSRF defenses as implemented by popular web frameworks. exhaustive review of the existing proposed defenses and potential threats identify 44 popular web frameworks across 5 programming languages for web applications ranked the documentation of the web frameworks against six quality attributes 6

7. Outline Introduction Problem Statement Methodology CSRF Defenses Threat Modeling Security & Documentation Analysis Developers Feedback Conclusion 7

8. Problem Statement 8

9. Research Questions RQ1: Available CSRF Defenses RQ2: Security of Existing Defenses RQ3: Developers Challenges 9

10. Outline Introduction Problem Statement Methodology CSRF Defenses Threat Modeling Security & Documentation Analysis Developers Feedback Conclusion 10

11. Methodology Preparatory Steps A. Identification of Popular Web Frameworks B. Survey of CSRF Defenses C. Threat Analysis Analysis Steps D. Analysis of the Code E. documentation review 11

12. A. Identification of Popular Web Frameworks JavaScript 1. Express 2. Meteor 3. Koa 4. Hapi 5. Sails 6. Fastify 7. ThinkJS 8. Total.js 9. AdonisJs Python 1. Flask 2. Django 3. Tornado 4. Bottle 5. Pyramid 6. Falcon 7. Zope 8. Masonite 9. TurboGears 10. Web2py Java 1. Spring 2. Play 3. Spark 4. Vert.x-Web 5. Vaadin 6. Dropwizard 7. Blade 8. ZK 9. Apache Struts 10. Apache Wicket PHP 1. Laravel 2. Symfony 3. Slim 4. CakePHP 5. Zend / Laminas 6. CodeIgniter 7. FuelPHP 8. Yii2 9. Phalcon 10. Li3 C# 1. ASP.NET Web Forms 2. ASP.NET MVC 3. ASP.NET Core 4. Service Stack 5. Nancy 12

13. B. Survey of CSRF Defenses reviewing the academic and non-academic resources 4 categories of 16 distinct defense mechanisms : each addressing one of the 4 vulnerable behaviors : 4 categories of the defenses : 1. Origin Checks 2. Request Unguessability 3. Same-Origin Policy for Cookies 4. User Intention 13

14. C. Threat Analysis Identified possible threats against CSRF defenses by : 1. reviewing academic literature 2. OWASP security best-practices 3. the National Vulnerability Database 4. web frameworks' GitHub issues 4 relevant threats 1. Token Generation 2. CSRF Token Leakage and Abuse 3. Cookie Integrity 4. Implementation Mistakes 14

15. D. Analysis of the Code there is no single program analysis technique that satisfies 3 requirements : 1. analyze programs written in multiple programming languages 2. analyze partial programs such as frameworks and libraries 3. detect the 4 categories of threats we identified on the previous page defined a manual methodology that combines : 1. code review 2. dynamic testing 3. a strict evaluation protocol 15

16. E. documentation review six quality criteria that the documentation of CSRF defenses should have : 1. Defense Name or Description 2. API Specs 3. Configuration 4. Code Example 5. Cryptographic Guarantees 6. General Security Considerations 16

17. Outline Introduction Problem Statement Methodology CSRF Defenses Threat Modeling Security & Documentation Analysis Developers Feedback Conclusion 17

18. CSRF Defenses 4 categories of 16 distinct defense mechanisms : each addressing one of the 4 vulnerable behaviors : 4 categories of the defenses : A. Origin Checks B. Request Unguessability C. Same-Origin Policy for Cookies D. User Intention RQ1: Available CSRF Defenses 18

19. A. Origin Checks A distinctive feature of CSRF attacks is that the request s origin differs from the origin of the target. Defenses : 1. checking the origin of an HTTP request server-side : check the HTTP request Referer and Origin headers 2. Cross-Origin Resource Sharing (CORS) when performing a cross-origin request (COR) check whether the COR complies with the CORS policy of the server-side before sending the actual COR request. 19

20. B. Request Unguessability A distinctive feature of CSRF attacks is that an attacker can guess all parameters of a request, except for cookies. Defenses : 1. Synchronizer Token Pattern (Plain Token) : stored on the server-side and tied to the user session 2. Encryption-based Token Pattern & HMAC-based Token Pattern protect a token containing a timestamp and a user session identifier The server accepts requests if two conditions hold. Ex : Double Submit Cookie && Triple Submit Cookie 3. Cookie-less User Session management which relies on the localStorage APIs to store user sessions 20

21. C. Same-Origin Policy for Cookies A behavior that is exploited by CSRF attacks is the compliance with SOP for cookies Defenses : 1. cookies : SameSite attribute (value : Strict, Lax, None) Strict : only allow first party cookies to be sent on a cross-site request or iframe Lax : allows GET only None : allows all the requests 2. limit the life span of session cookies 21

22. D. User Intention A distinctive feature of CSRF attacks is that web applications cannot determine whether a request is the result of the users intention. Defenses : 1. user Re-authentication 2. One-time Token 3. solving (re)CAPTCHA challenges 4. Multi-browser navigation 22

23. Outline Introduction Problem Statement Methodology CSRF Defenses Threat Modeling Security & Documentation Analysis Developers Feedback Conclusion 23

24. Threat Modeling 4 relevant threats A. Token Generation B. CSRF Token Leakage and Abuse C. Cookie Integrity D. Implementation Mistakes 24

25. A. Token Generation weak generators hashing used identifiers Timestamp pseudo-random number generator (PRNG) Cryptographically-secure PRNG (CSPRNG) insufficient randomness insufficient token randomness insufficient key randomness 25

26. B. CSRF Token Leakage and Abuse Side-channel Attacks : An attacker can use attacks like BREACH which affects applications that use data compression such as gzip or DEFLATE in HTTP responses Cross-Domain Referrer Leakage : When transmitting the token to the client, developers can use hidden HTML input forms, js variables, or custom request headers CORS Misconfiguration : Attackers can also exploit server-side misconfigurations to leak the CSRF tokens. Access-Control-Allow-Origin: http://example.com Access-Control-Allow-Credentials: true 26

27. C. Cookie Integrity cookie tossing Condition : if the attacker controls a subdomain of the target web application the attacker can set or overwrite cookies of the parent domain with attacker-specified values when a cookie is set to a domain it will be used in the domain and subdomains jar overflow attack The browser's cookie jar has a limited capacity When this limit is reached, older cookies get evicted and can be replaced with attacker-specified values. 27

28. D. Implementation Mistakes Missing Checks on HTTP Methods : If CSRF checks are only applied to specific HTTP methods, CSRF validation could be bypassed by overriding the request method Logical Mistakes : A simple logic error could be using the OR operator instead of AND Replay Attacks : assumption : the attacker has leaked the CSRF token the attacker can reuse the same token to forge a state-changing request until the expiration of the session cookie. Cross-Site WebSocket Hijacking : If the authentication solely relies on, the WS connection can be hijacked by a CSRF attack. 28

29. Outline Introduction Problem Statement Methodology CSRF Defenses Threat Modeling Security & Documentation Analysis Developers Feedback Conclusion 29

30. Demographics 30

31. Vulnerabilities 157 security risks 17 security risks are directly exploitable with one of two HTTP requests without relying on developers mistakes or misconfigurations of the targeted web application. 140 security risks can be exploited only under specific circumstances Ex : A developer makes a mistake, such as using a weak key or the insecure default configuration. EX : no checks on key length. 31

32. Vulnerabilities 157 security risks 80 implementation mistakes affecting 37 frameworks 37 CSRF token leakage affecting 34 frameworks 10 token generation affecting 17 frameworks 30 cookie integrity affecting 15 frameworks 32

33. Documentation and API Analysis six quality criteria 1. Defense Name or Description 2. API Specs 3. Configuration 4. Code Example 5. Cryptographic Guarantees 6. General Security Considerations Quality of the Documentation fulfill 6 criteria : 2 frameworks fulfill 5 criteria : 7 frameworks fulfill 4 criteria : 8 frameworks fulfill 3 criteria : 7 frameworks fulfill 2 criteria : 7 frameworks fulfill 1 criteria : 7 frameworks fulfill 0 criteria : 6 frameworks 2 22 20 33

34. Outline Introduction Problem Statement Methodology CSRF Defenses Threat Modeling Security & Documentation Analysis Developers Feedback Conclusion 34

35. Developers Feedback 157 security risks : 55 security risks : replied 27 security risks : already patched in 8 frameworks 28 security risks : not been fixed in 8 frameworks 16 potential threats : 14 replied 12 (at least one developers) : did not consider the reported threat a valid concern 10 (at least one developers) : acknowledged the threat and patched their code 35

36. Outline Introduction Problem Statement Methodology CSRF Defenses Threat Modeling Security Analysis Documentation and API Analysis Developers Feedback Conclusion 36

37. Conclusion the first systematic study of the implementation and security guarantees of CSRF defenses in 44 top web frameworks of 5 popular programming languages identified 157 security risks for these security risks, frameworks have divergent expectations about who is responsible for addressing them at least 61.4% of the frameworks do not provide sufficient documentation regarding the CSRF defense 37