XSRF : Cross-Site Request Forgery

Cross-Site Request Forgery is another web based attack. For the basic understanding, Suppose a user’s browser may be running a script from a good site and also malicious script from a bad site. This can happen when the user has logged into the good site and kept the session alive. For examples the user has logged into Gmail and has not logged off and Similarly the user may be browsing the other sites include bad site that sends the malicious script to the browser. The malicious script can then forge a request to the good site using the user cookie. but they do not know that the request was not sent by the user.

Figure : 1

In the figure above, the user logs in and establish session with good site, and keep session alive. Similarly, the user browses a bad site and runs malicious script on the browser. The malicious script forged request to the good site.

Examples of XSRF

A user logs into bank.com forget to logged off. The session cookie remain in the browser. If the user is phished to visit a malicious website attacker.com which sends an HTML page that contains a hidden I frame that include the malicious content, that the HTML page with action will be performed on the bill payment form of bank.com. In this way the malicious script forged the request on be half of user without knowing the users. Just for understanding you can see the script below.

<form name = BillPay Form action=http://bank.com/BillPay.php>
<input name=recipent value=badguy>….
<script>document.BillPayForm.submit();</script>

The following pictures depicts more.

Figure: 2

Source: GaTech OMSCS – CS 6035: Introduction to Information Security

Security Mindset

At first my source of writing is from udacity, intro to information security. for more information we can view from the udacity website.

When you have something of value and there is a risk to it. But in the today world we have more value to the data or information. the threat is a possible danger that exploit our weakness and therefore causes harm

Cyber Assets at Risk

we need to develop a security mindset:

Threat Source:

    > Cyber criminals

    > Hacktivists

    > Nation States

 Vulnerabilities and Attacks:

    > Compromises

    >  Security Breach

    > Vulnerabilities are in software, networks, humans

lets take a real world examples: Target Store Breach

     > what is of value –  credit card data

     > what is threat source – criminals

     > what was vulnerability – phishing was used to obtain credentials of the network

The following figures with the relationship of threats, vulnerabilities, attack and Risk will demonstrate more.

selection_001

fig: Relationship of Threats, Vulnerabilities, Attacks, and Risk

What should we do in Cyber Security

Make threats go away – Not really practical

Reduce vulnerabilities – Will never go away

But,  we can follow the CIA principles.

     > Confidentiality:  It is roughly equivalent to privacy. The ability to hide information from those people   unauthorized to view it.

    > Integrity: It involves maintaining the consistency, accuracy and trustworthy of data. the data must not be changed in transit and should take some measures to ensure that the data cannot be altered by authorized people

    > Availability:  it is important to ensure that the information is accessible to authorized people all the times. we can view short video about CIA

https://www.youtube.com/watch?v=SP8cr0fg5Sg

What should the good guys do?

Prevention – Keep bad guys out. We will never have 100 % prevention

Detection – Detect the bad guys are in the system

Response – Respond to the intrusion

Recovery and remediation – Restore corrupted data and stop similar future attacks

Policy vs Mechanism – What vs how will attacks be handled

How do We Address Cyber Security

To reduce the vulnerabilities, follow the basic design principle for securing systems.

Economy of mechanism – Keep systems simple and small.

Fail-safe defaults – Means default access is denial

Complete mediation – No one should be able to bypass security

Open Design – Is good because not counting on secrecy

Least privilege – Only give users the minimum level of access that they need

Psychological acceptability – Don’t expect people to do what is inconvenient.

Security Mechanism used in handling users

In the web application, the common problem is that all the users inputs are untrusted. Some security measures need to be taken by application to defend themselves from attack. So to handle user access to the application ‘s data and functionality to prevent users from gaining unauthorized access, handling the user input to the application from causing malformed input undesirable behavior, handling attacker and taking suitable defensive measures, managing the application itself by enabling administrators to monitors activities and configure functionality

In any application the central security requirement is controlling the user’ access to its data and functionality. There are different kinds of users some are authenticated users, some are anonymous, some are administrative. The application should be handled so that users can reads the emails own not of others. The following security mechanisms can be used to handle the application.

> Authentication

> Session management

> Access control

Authentication

authentication

The authentication mechanisms is basic way to handle the user access. Authenticating is the process of knowing who he/she claims to be. Authentication used in application by basically with the user name and password. In the security critical application like for bank, there can be additional credential or multistage login processes. for the higher security requirement other authentication model may be used based on client certificates, smart cards or challenge response tokens. The authentication process should be carefully handled because any flaws in design and implementation. Flaws can be taken advantages by the attacker to use to guess user name and bypass password and unauthorized access to sensitive data and functionality.

Session Management

session

The another task for handling the users are session management. First I want to explain session. After successfully login into application user access different pages and makes series of HTTP request from its browser. At the same time different user some are authenticated and some anonymous try to login the application. So to identify the different users. The application meet the way to create the session for each user and issuing the user a token that identifies the session. Session itself is data Structure held on the server that track the state of the user interaction with application. When the user receive the token, submit it back to the server in subsequent HTTP request enabling the application to associate with that users. When the users does not make request for certain time then the session is expired.

In the term of attack, attacker can use other tokens to authentication and use application. similarly another areas of attack is knowing the how the tokens are generated. Attackers can guess tokens to access different others user tokens.

Access Control

access

Access control also called authorization is the process to access the particular resources to be granted or denied. Authorization and authentication are different things. From the authentication it can be known the which kinds of the users are and according to the types of users the resources are granted or denied that is authorization or access control. So access control is important part of application. Omitting the access control check part causes attacker to gain unauthorized access to data and functionality.