应用程序
WASC分类:Authorization: Insufficient Authorization
参考: http://www.webappsec.org/projects/threat/classes/insufficient_authorization.shtml
错误级别:
中等(Medium)
风险:
可以偷盗或者操作用户Session和Cookie,这样攻击者可以扮演一个合法的客户进行操作。
造成原因:
应用程序调用了不足够的安全方法
技术说明:
CSRF是这种攻击:能够使得攻击者冒充受害者。主要是网站未对原始链接进行适当的验证。
攻击的严重程度依赖于网站的功能,在一个搜索网站上发生的CSRF攻击要明显小于转账或者用户信息修改页面。
攻击者强迫受害者浏览器向受害网站发起一个请求。如果用户登录了受害者站点,请求将自动的采用用户的认证(像cookie、用户IP、以及其他一些Browser认证的功能)。这样,攻击者使用用户的身份做自己的事情。换句话说,受攻击的网站无法采取正确的方式来验证用户执行的动作。
迫使受害者发起一个不想要的请求有多种方式:
Ø 通过邮件等方式给受害者发送恶意链接
Ø 在黑客自己的网站上放置受攻击网站的链接(通过图片或Frame等做成热链接)
Ø 在论坛中放置指向攻击网站的链接
Ø 使用Cross-Site Scripting 或者 Link injection等方式,自动将浏览器重定向到受害网站
If the attacker uses a Link Injection vulnerability on the vulnerable site itself he or she increases the likelihood of the user being authenticated to the site, and by that increases the likelihood of the attack to succeed.
例如:使用以上任何方法,攻击者可以诱使受害者点击页面,该页面包含
<img src="//bank/transfer?destination=John&money=1000" style=‘visibility:hidden‘>
这将使受害者的浏览器自动发出请求together with the current credentials of the browser 。如果银行站点易受 CSRF(Cross-Site Request Forgery (requires user verification)) 攻击,这将从受害者帐户中转1000元到John的帐户中。
Cross-Site Request Forgery 攻击也称作:CSRF(读音 see-serf),XSRF,Cross-Site Reference Forgery、One-Clike Attach 和 Session Riding。
系统是否易受CSRF攻击可以通过以下方式验证:
1. 检查 可受攻击的链接不包含攻击者难以猜测的参数
2. 检查 可受攻击的你阿姐执行起来 willingly
包含敏感操作的应用,请求可以直接执行用户不知晓的,被认作为可受到 CSRF 攻击
解决方式:
为了避免CSRF攻击,所有的请求必须包含唯一的标识,攻击者无法猜测这个标识符。
一个建议的方式是将 用户的sessionid作为cookie一部分。 应用程序检查2者是否一致,如果不一致,拒绝该请求。
任何秘密的东西:攻击者难以猜测或者无法获取的,都可以替代sessionid,作为标识。
这将阻止攻击者发出一个看上去合法的请求
Cross-Site Request Forgery (requires user verification)
Application
WASC Threat Classification
Authorization: Insufficient Authorization
http://www.webappsec.org/projects/threat/classes/insufficient_authorization.shtml
CVE Reference(s)
N/A
Security Risks
It is possible to steal or manipulate customer session and cookies, which may be used to impersonate a legitimate user, allowing the hacker to view or alter user records, and to perform transactions as that user
Possible Causes
Insufficient authentication method was used by the application
Technical Description
Cross-Site Request Forgery (CSRF) is an attack that allows a hacker to perform an action on the vulnerable site on behalf of the victim. The attack is possible when the vulnerable site does not properly validate the origin of the request.
The severity of this vulnerability depends on the functionality of the affected application, for example, a CSRF attack on a search page is less severe than a CSRF attack on a money-transfer or profileupdate pages.
The attack is performed by forcing the victim‘s browser to issue an HTTP request to the vulnerable site. If the user is currently logged-in to the victim site, the request will automatically use the user‘s credentials (like session cookies, user‘s IP address, and other browser authentication methods). Using this method, the attacker forges the victim‘s identity and submits actions on his or her behalf. In other words, the vulnerable site does not take the proper measures to validate that the user indeed wanted to perform the specific action.
Forcing the victim to send the unintended request can be done in numerous ways:
Ø Sending the victim a malicious link to the vulnerable application via email.
Ø Putting a hot-link (like an image or frame) to the vulnerable site on the hacker‘s web page.
Ø Posting a link to the vulnerable site in a public forum.
Ø Using Cross-Site Scripting or Link Injection vulnerabilities in the site (or another site) and automatically redirecting the browser to the vulnerable site.
If the attacker uses a Link Injection vulnerability on the vulnerable site itself he or she increases the likelihood of the user being authenticated to the site, and by that increases the likelihood of the attack to succeed.
For example, using any of the above described options, an attacker can lure the victim to view a page containing:
<img src="//bank/transfer?destination=John&money=1000" style=‘visibility:hidden‘>
This will cause the victim‘s browser to automatically request the URL together with the current credentials of the browser. If this banking site is vulnerable to CSRF, it will transfer 1000 dollars from the victim‘s account to John‘s bank account according to the application logic.
The Cross-Site Request Forgery attack is also known as CSRF (pronounced C-Serf), XSRF, Cross-Site Reference Forgery, One-Click Attack and Session Riding.
You can verify that your application is vulnerable to CSRF by:
[1] Checking that the vulnerable link/request does not include a parameter that is hard for an attacker to guess
[2] Checking that the vulnerable link/request performs an operation that should only be performed willingly
An application that contains a sensitive action, which can be accessed directly by a request that the user submitted unknowingly, is considered vulnerable to CSRF.
General Fix Recommendations
In order to avoid CSRF attacks, every request should contain a unique identifier, which is a parameter that an attacker cannot guess.
One suggested option is to add the session id taken from the session cookie and adding it as a parameter. The server must check that this parameter matches the session cookie, and if not discard the request. The reason an attacker
cannot guess this parameter is the "same origin policy" that applies to cookies, so the attacker cannot forge a fake request that will seem real to the server.
Any secret that is hard to guess and is not accessible to an attacker (i.e. not accessible from a different domain) can be used instead of the session id. This will prevent an attacker from crafting a seemingly valid request.
References and Relevant Links
Cross-site request forgery wiki page
"JavaScript Hijacking" by Fortify
Cross-Site Request Forgery Training Module
联系客服
