XHR, CSRF and bypassing the browser same origin policy

I did a presentation on CSRF for my local OWASP chapter and an interesting question come out about exploiting a CSRF vulnerability while using XMLHttpRequests (these are very popular wih Ajax nowdays..) CSRF vulnerabilities exploit the trust that a site has on the browser. In the case of an authenticated session, since the browser does not resend a NEW SessionID to the application as a proof that each HTTP request is authenticated it allow for riding the session with an interleaved malicious HTTP request (I like this term better actually because you are really riding an authenticated session..).

If I social engineer (phish) a victim forcing him to select a web page (via webmial for example) that has a malicious HTML tag such as iframe with an embedded GET request and if such request is issued (by the victim web page selection) when an authenticated session with the same application is still valid, then such malicious request will processed by the application. Attack of this nature can eventually force a business transaction such as money bank transfer, denial of service via forced logout, modification of shopping cart credentials to force a purchase with a price and address at the choice of a malicious user.

The main root causes of CSRF on the client is the lack of enforcement of the same origin policy. Such policy prevent two different documents loaded on the browser and one potentially being malicious to access each other via javascript. The same origin policy will check that such javascript invocation comes from two different sources and it will deny it. The problem is that such same origin policy does not work for HTML tags: an hacker can embed an URL from untrusted source/domain in one of the documents serve such document to the victim and the request will still be issued to the site and being authenticated by the application. Contrary to HTML tags, in the case of issuing asynch requests via XmlHttpRequest (XHR) the same origin policy is enforced on the browser and in-theory a CSRF attack will be mitigated by the browser control.
The reality is that if malware is present on the client (such as with XSS exploit for example), then you can potentially override this control, simply because XHR relies on client javascript. In other cases if the control is invoked via a flash the same origin policy can be actually disabled to this vulnerability as a configuration management issue.

Here are the facts in the details :
1) XMLHttpRequest has a same origin policy enforced in both IE and Mozilla
2) Because of the same origin policy you cannot access, a document/script loaded from one site of origin from a site from a different origin
3) XMLHttpRequest rely on javascript to issue POSTs such as:

var post_data = 'name=value';
var xmlhttp=new ActiveXObject("Microsoft.XMLHTTP");
xmlhttp.open("POST", 'http://url/path/file.ext', true);
xmlhttp.onreadystatechange = function () {
if (xmlhttp.readyState == 4)
{
alert(xmlhttp.responseText);
}
};
xmlhttp.send(post_data);


4)Since XHR rely on javascript, you can have malware (like Samy webworm that exploits both XSS and CSRF) installed on the client that can overwrite the javascript function by overriding the constructor XMLHttpRequest() { } By doing so the hacker is bypassing the XHR call and will disables the same origin functionality enforced on XHR

5)The same origin policy can also be bypassed with a flash Adobe/Macromedia Flash to issue XHR because cross domain is permitted depending on a rule set in “crossdomain.xml” file present in the root of the target webserver.

So basically like everything else in security, there is no 100% mitigation of the risk. In the case of XHR CSRF browser controls can also be bypassed despite the same origin policy on the browser. The golden rule for security is to rely on multi layer security, XHR with same origin policy but also unique token for each URL and tied to the user session like you can do by using OWASP Guard. To remediate CSRF vulnerabilities every HTTP request (not just the one that you login into it) that can potentially exploited for unauthorized transactions (i.e. HTTP POST of confidential data, high risk transactions) need to be authenticated by issuing a new token/sessionID or event by requiring a PIN

References
http://taossa.com/index.php/2007/02/08/same-origin-policy/
http://www.cgisecurity.com/articles/csrf-faq.shtml
http://jeremiahgrossman.blogspot.com/2007/01/preventing-csrf-when-vulnerable-to-xss.html
http://taossa.com/index.php/2007/02/08/same-origin-policy/

Security and Privacy Day @ Stony Brook

Stony Brook University is hosting a Security and Privacy Day next Friday May 30th http://web.crypto.cs.sunysb.edu/spday/. The topics being covered are pretty interesting such as language based security, security and outsourcing, network security, trusted hardware and privacy:

Use of Links programming language to enforce security policies http://www.cs.umd.edu/projects/PL/selinks/ from Dr Michael Hicks of Univ of Maryland

Languages for tracking information flows and in particular security metadata (e.g. CIA attributes) from Dr Marco Pistoia of IBM

Database as a Service (DAS) for secure and efficient query evaluation over encrypted databases from Dr Wendy Hui Wang of Stevens

Security as A Service models (SaaS) from Suresh Sari also from IBM Research

An other interesting papers..

May 25 is the deadline to register. The organizers also plan a nice sightseeing program with wine tasting and boating trips around the Long Island Beach area.

I plan to attend the conference also to meet Dr Radu Sion for which I had some previous paper email exchanges (Financial Cryptography Conference in Mexico last January that I did not attend) and connect with some academics in light of my future publishing endeavors (a book I intend to write on Software Security Frameworks)

Most importantly to take Suzanne (my wife) with me and celebrate together our 4th wedding anniversary with a nice visit/lunch at one of the local wineries on Saturday.

Security and Wine Tasting is really appealing...+ car racing event would be elecrifying...I refrain myself would not take the wine-car talk spin topic on this blog... Cheers :)

USA 08 BH Presentation Schedule Is Out!

A list of selected presentations for USA Blackhat 2008 has just come out:
http://www.blackhat.com/html/bh-usa-08/bh-usa-08-schedule.html

The list of speakers is herein:
http://www.blackhat.com/html/bh-usa-08/bh-usa-08-speakers.html

Overall looks the selected speakers are of high caliber and work from well known reputable security organizations. Among the speakers, it was nice to see some OWASP fellows being selected such as Ivan Ristic (0 day defense talk) as well as Jacob West of Fortify (Deep Knowledge Day 1) and Shanit Gupta of Foundstone (Turbo Talk).

I thought it was interesting to look at the speaker's company/organization representation by number of talks (No) also to have a sense on which organizations the thought leaders work for.
I also looked at speakers representing themselves as independents professionals (IP):

1. Root Kit Arms Race: Clear Hat Consulting (2), Intel (1), IP (1), Praetorian Global (1)
2. 0 Day:Apple(1), NM(1), Pure Hacking (1), IRM-Information Risk Management Plc (1)
3. 0 Day Defense:Tel-Aviv University(1), OWASP-Breach Security Inc(1), Fourteenforty Research Institute, Inc (1)
4. AppSec 1.0-2.0/Day 1: iSec Partners (1), Symantec(1), GNUCITIZEN (1)
5. AppSec 1.0-2.0/Day 2: Secure Windows Initiative(1), Agura Digital Security(1), Offensive Computing LLC-Hexagon Security Group (1), SecNiche Security(1), HP Security Labs(1)
6. Bots and malware:Microsoft(1), Radware(1), Shmoo Group-Ponte Technologies(1)
7. Deep Knowledge Day 1:IP(1), Fortify(1)
8. Deep Knowledge Day2: Ernst & Young (1)
9. Forensics-Antiforensics:Recurity Labs(1), United States Military Academy(1), IP(1), Trustwave (1)
10. Hardware:Hypervista Technologies(1), Intel(1),Oak Ridge National Laboratory(1)
11. The Network:IP(1),Dartmouth College(1)
12. Developer:Microsoft(1)
13. OTA:IP(2), Root Labs(1), U. S. Department of Commerce (1),Aladdin Knowledge Systems (1)
14. Virtualization:IP(3), VMware (1), Unisys (1)
15. Reverse Engineering: Naval Postgraduate School (1), SAIC(1)
16. Turbo Talks: Hypervista Technologies (1), IP(2),Gotham Digital Science (2), iSEC Partner(1),Foundstone(1), ETRI (1)

Among the largest organizations I see, Microsoft, Apple, Intel, Symantec, VMWare, Unisys, HP very well represented

Among the well known consulting companies I see: SAIC, Foundstone,Ernst & Young ,iSec Partners, Aladdin Knowledge Systems

Among the well known universities: United States Military Academy,Naval Postgraduate School,Tel-Aviv University,Dartmouth College

Among government/research :Oak Ridge National Laboratory,U. S. Department of Commerce

Overall looks a very threat oriented conference in the blackhat grass roots tradition. I would have welcomed more focus on the countermeasures and software security thought (the developer section as just one representation). The ones that interest me the most besides the developer (too bad only one talk) are zeroday defense, all deep knowledge day 1, all bots and malware, all OTA and some AppSec 1.0-2.0/Day 1 and the turbotalks.

I think one of the challenges when going to conferences is to choose which presentation to attend.

My criteria is to look at:
1) speakers that I know of (because I met, worked with, read about etc)
2) for the speakers that I do not know, I look at the presentation credentials from company/organization representation perspective not individual perspective
3) after 1,2 election I select the topics of my interest

That said, I hope to meet any of my blog readers/people I know of in Las Vegas on August 6 and 7.

Success story of the OWASP Day II in Italy

I participated to OWASP Italy back in March. OWASP Italy was a success story: more than 200 attendees, 9 great speakers, 5 sponsors, 1 round table and an article (in Italian) here:
http://punto-informatico.it/2266944/PI/Commenti/La-Web-Application-Security-parla--anche--italiano/p.aspx

Here is the OWASP page of the event in English with the presentations:
http://www.owasp.org/index.php/Italy_OWASP_Day_2

It was very nice to meet Matteo Meucci, Stefano Di Paola, Giorgio Fedon and Jacob West in Rome. The organization of the conference was fantastic and good lesson for me. Wish one day I will be able to organize a similar event with my OWASP chapter here in USA. My kudos to Matteo bellissimo lavoro, bravi!! Go OWASP!