In this post I will discuss a technique that can be used to bypassing any CSRF counter measures and submit POST method -based forms with attacker controlled data using ClickJacking. This works on JSP applications and partially on ASP.NET applications.
Let us take the case of a simple primary Email ID update form. Such forms are common in many web applications. They are simple but extremely important, if an attacker manages to force a victim to update his primary Email ID with that of the attacker’s ID then the attacker can perform a password reset and compromise the victim’s account.
A sample Email ID update form is given below, this contains a ‘csrf-token’ parameter for CSRF protection:
<form method="POST">
<input type="text" name="email" value=””></input>
<input type="hidden" name=”csrf-token” value="a0a0a0a0a0a"/>
</form>
Let’s say this form is available at 'www.example.com/updateEmail.jsp'
Since this form does not contain an ‘action’ attribute, on submission the form will be submitted to the current URL in the address bar, which will be ‘www.example.com/updateEmail.jsp’.
The source code of 'updateEmail.jsp' would typically look like this:
if ( request.parameter("email").isSet() && request.parameter("csrf-token").isValid() )
{
//process the form and update the email ID
}
else
{
//display an empty form to the user (CSRF token included)
}
The application checks if the request contains a valid CSRF token, if not it displays the form to the user.
Now to submit our sample form using ClickJacking the attacker can include an iframe like this
'<iframe src=”http://www.example.com/updateEmail.jsp?email=evil@attackermail.com”>'
When this request goes to the server the application would display the update form. When this form is submitted by the victim using ClickJacking the request that is sent to the server is like this:
POST /updateEmail.jsp?email=evil@attackermail.com HTTP/1.1
Host: www.example.com
email=&csrf-token=a0a0a0a0a0
Since the form was not filled by the victim, the email parameter in the POST body is blank. However since the action attribute of the form was empty the form is submitted to www.example.com/updateEmail.jsp?email=evil@attackermail.com. Now the QueryString contains the attacker entered value for the ‘email’ parameter.
This request contains two values for the ‘email’ parameter, one in POST body and one in QueryString. Enter HTTP Parameter Pollution, when the server side JSP code calls request.parameter("email"), the value that is returned is the one in the QueryString and not the POST body. Since this value can be controlled by the attacker he can trick the victim in to updating his account with the attacker’s mail ID.
This attack can also work in cases when the form is submitted with JavaScript like this:
<form onSubmit=process()>
<input type="text" name="email" value=""></input>
<input type="hidden" name="csrf-token" value="a0a0a0a0a0a">
</form>
<script>
function process()
{
//check if email is set
form.action = document.location; //document.location will give out the entire URL with parameters
form.method = "post";
form.submit();
}
</script>
Apart from JSP applications, this attack can be extended to ASP.NET applications as well.
However since ASP.NET appends a ‘,’(comma) between duplicate parameters, it not as clean. But there are plenty of areas where having a trailing ‘,’ won’t hurt. In ASP.NET applications the form action is always set by the framework because of the 'runat="server"' attribute. The only requirement now is that the application should make use of Request.Params. Even if the application does not use Request.Params, forms submitted over 'GET' are still vulnerable. So all ASP.NET application using Request.Params or submitting forms over 'GET' are vulnerable to this attack!
Similar attack is also possible on ASP applications where the form element is of the form described earlier and if it is submitted over 'GET'. Like ASP.NET application a trailing comma is introduced here as well. A more detailed description of HTTP Parameter Pollution on ASP and ASP.NET applications and the significance of Request.Params is explained here. This whitepaper discusses how HPP can be used to bypass WAF.
Nice. Just one remark. The IFRAME inclusion is a standard technique for this kind of web attacks. Clickjacking is something different in which the IFRAME is (usually and in simpler attacks) css-rendered transparently and overlaid at the web page in order to trick the user into clicking on elements controlled by the attacker. Maybe you would be interested in a work with a recently conducted on Clickjacking : "A Solution for the Automated Detection of Clickjacking Attacks" - Have a nice day, embyte
ReplyDeleteThanks Marco. I do realise that ClickJacking relies on careful CSS rendering. Since I wanted to emphasize on the 'anti-CSRF' technique here, I left out the CSS part in the example's IFRAME for simplicity. I read through your whitepaper, it is a very impressive piece of work and a novel approach. I have some observations. Your 'testing unit' scans through the page for clickable elements and clicks on them. The ClickIDS scans for other clickable elements in the same region and then triggers an alert. Instead cant you simply scan for all clickable elements and look for overlapping units and trigger the alert. That might be much faster and efficient. For the rare cases where sections of the pages are changed based on mouse movements, you can rescan the page. Moreover since FF is used for the testing there is a possibility that some attacks were missed. Because in my limited experience with CSS I have seen differences in how IE and FF align elements. And IE being more popular more attacks would target its users. These could have possibly gone undetected in your assessment. Would like to hear your views on this. Its an excellent academic effort, congrats!
ReplyDeleteHi there, I reached your answer for "chance" since blogger did not informed me :) I see the point, actually we could have run the experiments in simulation by detecting overlaps only looking at the elements' coordinates. Btw, we decided to go for the "real clicks" scenario since many applications are pretty complex to analyze for their dynamic behavior (see Javascript/CSS events as you are saying). Moreover, our primary goal was to conduct a study of the prevalence of clickjacking attacks on the web and that's why we employed noScript in its modified version (and to make noScript run we need to physically interact with the page by clicking on the elements).
ReplyDeleteRegarding the fact that we used FX to conduct the research you are right. It would be nice to deploy the same system on Explorer, e.g. by running Explorer in Linux with "wine" (the emulator) and porting ClickIDS to Explorer as BHO.
I am pretty sure that many CSS attacks are tailored for Microsoft and Explorer.
Note that our findings have been manually tested on Explorer too.
Great that you like the work.
Next April there will is a talk at BH Europe on clickjacking, I don't know Paul but hopefully will be interesting.
Have a nice day.
i like this blog!thank u!!
DeleteHi Marco, I can see that your approach is justified based on what you were trying to achieve. Good luck for your own presentation @ asiaccs2010. Am looking forward to Paul's talk too, should be interesting. Take care.
ReplyDeleteA temporary fix that could work could be a simple javascript script like this http://www.cryer.co.uk/resources/javascript/script1.htm . Very interesting article. Thank you.
ReplyDelete@cedric: right, this is another frame-busting code. Twitter and other sites now already implement that code. In our work, we had run an experiment to assess the prevalence of such sites: ~3.8% = 352 sites. See section 4.3 for more details :)
ReplyDeleteembyte
@cedric
ReplyDeleteThanks :) Any defense that prevents ClickJacking will automatically prevent this attack as well.
@Marcos
Interesting stats!. Session IDs in the URL or a CSRF token in the URL can also thwart a ClickJacking attack because the URL for the iframe cannot be guessed by the attacker. I dont see anyone talking about it or maybe its lost in the noise about the framebusting-based approach.
Views?
Warning, PHP-centic comment ahead:
ReplyDeleteThis kind of thing is why we ended up changing the Zend HTTP Request Object (well, extending and using, not changing) away from its hard preference of GET over POST for getParam(), and molded it into one that reads out the request_order/variables_order INI settings and behaves accordingly.
In nine out of ten cases, I'm a fan of aggregating request parameters in some way, since it helps defeat an unfortunately still wide-spread belief that making something POST means it can't be hacked 'anywhere near as easily', and forcing people to deal with all incoming methods hones their security sense a bit more - but prefer-GET-over-POST is definitely broken in so many ways. *always changes this*
It's especially evil in Zend, actually, since by default if you manage to get someone to pollute their GET-parameter space on one page, Zend's url() Action Helper will drag that along to other pages - i.e. it wouldn't help if you had a <form action="<?php $this->url('controller' => 'your-controller', 'action' => 'your-action'); ?>"> in that script.
(We changed that with our own version, too.)
*shudders* Nightmare.
...ohduh. Sorry. url() View Helper. Been working with Action Helpers too often lately.
ReplyDelete@pinkgothic
ReplyDeletethanks for the info. I have never used zend so I dont know how it works there. AFAIK in PHP POST data takes precendence over GET, which is the exact opposite of JSP. So I dont think this attack can work against it. However I have never used zend, are you saying this attack works on zend? that would be intresting
I found this post a bit late, but interesting reading nonetheless.
ReplyDeleteMaybe a viable counter-measure to this kind of attack is to implement a request filter that checks:
1. Presence of the CSRF token
2. If token present, check if form was submitted via POST
3. Check for the presence of query parameters on the request URL
If any of those checks fail, the requested action would be denied.
@anon
ReplyDeleteThanks.
What you have suggested would actually work but that may not be necessary. If you implement strong Clickjacking protections in your application then this vector is automatically taken care of.
If you block this vector without Clickjacking protection then CSRF can still happen using the HTML5 Drag-n-Drop API, its a little bit more tedious to pull off when compared to this though.
Nice One
ReplyDeleteEach and every post of the form The CSRF token should be checked, it hepls us in protecting the evil form submission.
ReplyDeleteYou...are...awesome! This blog is so great. I really hope more people read this and get what you're saying, because let me tell you, its important stuff. I never would've thought about it this way unless Id run into your blog. Thanks for putting it up. I hope you have great success.
ReplyDeleteI like the helpful information you provide for your articles. I’ll bookmark your weblog and check again here frequently. I am quite sure I’ll learn many new stuff proper here! Best of luck for the following!
ReplyDeleteHello there..................
ReplyDeletei m a begginer.............
for this i will hav to create a website?
and then upload these scripts?
Valuable information for all. And of course nice review about the application. It contains truly information. Your website is very useful. Thanks for sharing. Looking forward to more!
ReplyDeleteResources like the one you mentioned here will be very useful for me! I'll post a link to this page on my blog. I'm sure my visitors will find useful.
ReplyDeleteNice posting. I used to work at an oil trading company in Hong Kong. If you know the insides of this type of business, you would get depressed soon. That’s why I quit the job and start my own business.
ReplyDeletekids nap mats
This post shows a report that is tighten to common. credible strategy of countenance resulting from which cause your post turn so informative.
ReplyDeleteSome truly superb blog posts on this internet site, thanks for contribution. “For today and its blessings, I owe the world an attitude of gratitude.” by Clarence E. Hodges.
online casino bonuses
Very nice post. I just stumbled upon your weblog and wished to say that I have truly enjoyed surfing around your blog posts. After all I’ll be subscribing to your rss feed and I hope you write again soon!
ReplyDeleteThis post shows a report that is tighten to common. credible strategy of countenance resulting from which cause your post turn so informative.
Some truly superb blog posts on this internet site, thanks for contribution. “For today and its blessings, I owe the world an attitude of gratitude.” by Clarence E. Hodges.
Wooden rocking horses
Thanks for your great post also thanks for that your giving us great information. The environment got severely effected by it but the government simply doesn’t care. They should prepare or give further assistance to those who are affected by this. Keep posting.
ReplyDeleteThe McMinn Law Firm
Hey, thats a terrific post. I had been also struggling with Cold Uncomfortable. However I have been regularly reading through posts regarding cold uncomfortable cure. Just however found this page which helped straight into vanish my cold sore completely. I think you have to have a look.. Thanks!!!
ReplyDeleteThe Kyle Law Firm
These issues are really hard to fix but I totally agree that they could have done a much better job.They just dont care, that’s the reason why some people are arrogant. I love your title, that’s probably how the articles became so popular.Thanks for this excellentpost. It will really help a lot of people. Generally we tend to take medicine for lowering blood pressure.in fact we should try alternative ways . So informative and interesting post have been shared here.
ReplyDeleteroulette
I just stumbled upon your blog and wished to say that I’ve truly enjoyed surfing around your blog posts. In any case I’ll be subscribing to your rss feed and I hope you write again very soon!
ReplyDeleteVery nice post. I just stumbled upon your weblog and wished to say that I have truly enjoyed surfing around your blog posts. After all I’ll be subscribing to your rss feed and I hope you write again soon!
casino online
This post shows a report that is tighten to common. credible strategy of countenance resulting from which cause your post turn so informative. Some truly superb blog posts on this internet site, thanks for contribution. “For today and its blessings, I owe the world an attitude of gratitude.” by Clarence E. Hodges.
ReplyDeleteI truly enjoy reading on this internet site , it holds good content . “One doesn’t discover new lands without consenting to lose sight of the shore for a very long time.” by Andre Gide. I’m not sure why but this blog is loading very slow for me.
la roulette européenne
Thanks for your great post also thanks for that your giving us great information. Please keep posting. It is a great idea. Thank you for all the information. I feel interesting to use this way.
ReplyDeletehome page
So informative and interesting post have been shared here.It's very nice website. I will search this page again & again great list. I appreciate your efforts to bring such a huge list for us.
ReplyDeleteSteamer's Carpet Care ing
Thanks for this excellentpost. It will really help a lot of people. Generally we tend to take medicine for lowering blood pressure.in fact we should try alternative ways . So informative and interesting post have been shared here.
ReplyDeleteTexas mortgage refinancing
Thanks for this excellentpost. It will really help a lot of people. Generally we tend to take medicine for lowering blood pressure.in fact we should try alternative ways . So informative and interesting post have been shared here.
ReplyDeletemortgage refinancing Texas
I completely agree with you. I really like this article. It contains a lot of useful information. I can set up my new idea from this post. It gives in depth information. Thanks for this valuable information for all. And of course nice review about the application.
ReplyDeleteSo informative and interesting post have been shared here. It's very nice website. I will search this page again & again great list. I appreciate your efforts to bring such a huge list for us.
pancake mix
I truly enjoy reading on this internet site. Very nice post. I just stumbled upon your weblog and wished to say that I have truly enjoyed surfing around your blog posts. After all I’ll be subscribing to your rss feed and I hope you write again soon! This post shows a report that is tighten to common. credible strategy of countenance resulting from which cause your post turn so informative.
ReplyDeletevakantiehuis dordogne
Thank you very much for the great list and I appreciate your efforts to bring such a huge list for us. I really appreciate posts, which might be of very useful. I am also building new sites all of the time and getting good results by using natural methods. I look forward to future updates. Once again thanks. Keep smiling.
ReplyDeleteGet More Twitter Followers
But friendship is precious, not only in the shade, but in the sunshine of life, and thanks to a benevolent arrangement the greater part of life is sunshine. ~Thomas Jefferson
ReplyDeleteNice information, many thanks to the author. It is incomprehensible to me now, but in general, the usefulness and significance is overwhelming. Thanks again and good luck..
ReplyDeleteOne of the biggest difficulties in which everyone encounter is justifying exactly what just one might like to do along with precisely why it's going to disturb the status quo -- may it be to present judgment or maybe starting up the converstaion. It truly allows when looking at your stuff was adamant around the matter you have outlined. Great tunning the thought an individual discussed will certainly bring brand new opportunities in this area connected with curiosity along with gives can consequence one thing good. My spouse and i appreciate your time and efforts connected with acquiring observe associated with above outlined subject.
ReplyDeleteOne of the primary issues of which everyone confront is justifying exactly what one particular need to do as well as the reason it will eventually interrupt your rank quo -- may it be to provide view or commencing a converstaion. Advertised . aids while looking at the stuff was adamant for the subject you have highlighted. Great tunning the style a person talked about will really provide new prospects in this region regarding attention and also delivers can end result some thing optimistic. My spouse and i get pleasure from your time and efforts connected with taking discover of above reviewed issue.
ReplyDeleteI am very enjoyed for this blog. Its an informative topic. It help me very much to solve some problems. Its opportunity are so fantastic and working style so speedy. I think it may be help all of you. Thanks a lot for enjoying this beauty blog with me. I am appreciating it very much! Looking forward to another great blog. Good luck to the author! all the best!
ReplyDeleteit is really refreshing to see a music artist who is real and didnt let him becoming a star going to his head i not really in to rapp but i like his song maybe it is because they lyrics are so downto earth.
ReplyDeleteI am really impressed by this blog!Very clear explanation of issues is given and it is open to everyone.It contains true and fair information.Your website is very useful.
ReplyDeleteI am extremely impressed with your writing skills and also with the layout on your weblog.Is this a paid theme or did you modify it yourself? Anyway keep up the nice quality writing,it's rare to see a nice blog like this one these days.silicone halloween masks for sale
DeleteFantastic Post! I thoroughly enjoyed your content …very effectively written about important matter. Thanks for this service that you have provided for us. Loads of excellent writing here.
ReplyDeleteThanks for shearing.Good steps have been used in this article. By giving these type of examples
ReplyDeletewe can easily understand what the writter is saying in this article. it is very nice to see this blog and it's really informative for the readers.
This post shows a report that is tighten to common. credible strategy of countenance resulting from which cause your post turn so informative. Some truly superb blog posts on this internet site, thanks for contribution.
ReplyDeleteCustom tote bags
Thanks for very interesting post. I have a high regard for the valuable information you offer in your articles. I really believe you will do much better in the future.
ReplyDeleteThank you, I have recently been searching for information about this topic for ages and yours is the best I have discovered so far.
ReplyDeleteI just want to say I am all new to blogs and absolutely liked you’re blog site. I truly enjoy reading on this internet site. You definitely have really good articles. Regards for revealing your web page.
ReplyDeletevakantiehuisje frankrijk
So informative and interesting post have been shared here.It's very nice website. I will search this page again & again great list. I appreciate your efforts to bring such a huge list for us. Thanks a lot for sharing.
ReplyDeletesell a business
If I am not here I don't know what a great miss I would have done. I think you have researched a lot for giving us such kind of writing. I would like to see latest update about this issue. I always skip comments of a blog but cannot resist myself to give you special thanks. Greenspoint Dental
ReplyDeleteI am very glad that I find your regular post here. Which seems to be very important and it made good time pass for me. I will always give a nice thrust look in to you from my bookmark feed. I don’t actually comment and don’t like to spend time in typing the comment. But here I have to do this because this deserves a good like.Tangyel
ReplyDeleteI was very pleased to find this site.I wanted to thank you for this unique read.I definitely savored all bits and pieces of it including all the comments and I have added you to my bookmark list to check out new articles you post.
ReplyDeleteUndeniably feel that you just described. The perfect justification was over the internet most effective point to bear in mind. I say to you, I surely get frustrated while everyone ponder problems that they clearly don't know on the subject of. You were able to hit the nail upon the top and additionally described out the main aspect without having side-effect, individuals could take a signal. Will probably be back to read more. Regards
ReplyDeleteThanks for the marvelous posting! I certainly enjoyed reading it, you may be a great author. I will be sure to bookmark your blog and will come back sometime soon. I want to encourage you to continue your great writing, have a nice evening!
DeleteThe information and the detail were just perfect. I think that your perspective is deep, its just well thought out and really fantastic to see someone who knows how to put these thoughts down so well. Great job on this.
ReplyDeleteWe certainly adore exactly how it’s simple upon my personal eye and also the truth is well crafted. I’m asking yourself generate an income may be informed each time a brand new publish may be created. I’ve bought for your feed that should have the desired effect! Possess a good day time!
ReplyDeleteDental supplies Miami Thanks for this great post - I will be sure to check out your blog more often. I bookmarked your blog but I hope you will post more...
ReplyDeleteI really appreciate your post.It gives an outstanding idea that is very helpful for all the people on the web.Thanks for sharing this information and I'll love to read your next post too.
ReplyDeletePlease tell me that your heading to keep this up! Its so very good and so important. I cant wait to read far more from you. I just feel like you know so very much and know how to make people listen to what you've got to say. This weblog is just as well cool to be missed. Great things, actually. Please, PLEASE keep it up!
ReplyDeletegarage door repair phoenix
This post has taken the subject onto the next level, great writing skills and message conveyed by the author.
ReplyDeletemerchant cash advance
Very nice, i'm very concern in this site, thanks for sharing and go ahead. Schutzfolien | T-Shirt bedrucken | LED-Taschenlampe | Handy Flatratevergleich | DSL Tarife vergleichen | Boxenschild
ReplyDeleteWe've take a look at your website post and i also had a very useful and knowledgeable material from your website.this is a legitimate excellent report.
ReplyDeletepharmacy technician career | pharmacy technician training programs | certification for pharmacy technician | pharmacy technician job description | how to become a pharmacy technician | certification pharmacy technician
Please tell me that your heading to keep this up! Its so very good and so important. I cant wait to read far more from you. I just feel like you know so very much and know how to make people listen to what you've got to say. This weblog is just as well cool to be missed. Great things, actually. Please, PLEASE keep it up!
ReplyDeletecarpet cleaning phoenix
This was a really quality post. In theory I'd like to write like this too - taking time and real effort to make a good article... but what can I say... I procrastinate a lot and never seem to get something done.
ReplyDelete14mm Magnetic Button:The Square
ReplyDelete14mm Magnetic Button:The Square (TB036) Like the 18mm Magnetic…
I really want this kind of info. I was seeking this kind of knowledge for a period. Great work.
ReplyDeletemoving to los angeles
Wonderful blog post. That is what I was searching for. I really like your blog and I appericiate your efforts. Your article is very helpful for me and many others to work out. I will definitely come back on your site for more stuff. Good Luck for the future posts.
ReplyDeletelight pink clutch
This is my first time I visit here. I found So many Entertaining stuff in your blog, especially its discussion. From the tons of comments on your articles, I guess I am not the only one having all the enjoyment here! Keep up the good work.
ReplyDeleteI love your narrative! So beautiful! Poor Mac and his tears! He will understand one day. It's great to be the favorite. It's also good for me to be reminded that dad is a favorite too.
ReplyDeletecalgary home builders
Very cute! It must have been so nice to spend a few whole days with the 3 of you. Both my girls are going through a huge mommy phase right now and my hubby can't stand it! I'm sure the day will come when they only want dad though - he is more fun than me.
ReplyDeletehome builders calgary
Wonderful blog post. That is what I was searching for. I really like your blog and I appericiate your efforts. Your article is very helpful for me and many others to work out. I will definitely come back on your site for more stuff. Good Luck for the future posts.
ReplyDeleteresident evil costume
Hello sir, How are you today?
ReplyDeleteIt is very well information about on andlabs.com. All people always want to know all about things that you have been described. It is very valuable & very nice posting! I will bookmark this blog as I have AAA Miracle Furnace and Vancouver Carpet Cleaning is the leader of customer service and leader of the cleaning industry for Vancouver, BC Metro. Our Expert carpet cleaning and furnace cleaning services are offered to residential and commercial. We set the standard in customer service. We are voted the highest of carpet cleaning Vancouver
Thank You Very Much For a Nice & Cool Article.