クロスサイトリクエストフォージェリ(CSRF)とその対策手法 (OSC2015Hokkaido版)

1. (CSRF) JPCERT/CC( C (yozo.toda@jpcert.or.jp) OSC2015Hokkaido

5. Copyright©2015JPCERT/CC(All(rights(reserved. OSC ( ) 5 •OSC2014@Fukuoka •Lessons((to(be)(Learned(from(Handling(OpenSSL Vulnerabilities •OSC2013@Kyoto • g a Java C •OSC2012@Fukuoka •Android C eAndroid g rg •OSC2011@Nagoya • C (JAVA ) •OSC2010@Hokkaido •He g C C C •OSC2009@Fukuoka • C •OSC2008@Tokyo/Spring • C •OSC2007@Fukuoka • C •OSC2007@Niigata • P c •OSC2007@Kansai • gR o cR w •OSC2005@Tokyo/Fall • g p

10. Copyright©2015JPCERT/CC(All(rights(reserved.10 CERT-Oracle-Java- OSC2011@Nagoya( ao http://www.ospn.jp/osc2011cnagoya/pdf/ osc2011nagoyacJPCERT_CC.pdf JPCERT/CC( !! https://www.jpcert.or.jp/javacrules/

25. Copyright©2015JPCERT/CC(All(rights(reserved. CSRF 2001 w2014 g CVEg (Description) FCSRF sg@ h1039 • CVE h a g h T a e r@dg T CSRF P T a h we • CVEg g ce foo.phpuBarServlete d T @PHPuJava T a c sH JVNg C wh39 " PHP:(13 @Perl:(2 @Ruby:(1 ed

26. Copyright©2015JPCERT/CC(All(rights(reserved. CSRF (JVN- ) JVN CVE JVN#32631078 g ASUS( LAN( C C g CVEc2014c7270 JVN#94409737 WordPress( MailPoetNewsletters( C g CVEc2014c3907 JVN#42511610 acmailer C g CVEc2014c3896 JVN#36259412 Web C g CVEc2014c3881 JVN#05329568 WordPress( Login(rebuilder( C g CVEc2014c3882 JVN#13313061( ecStudio( C C g CVEc2014c1990 JVN#50943964 phpMyFAQ C g CVEc2014c0813 JVN#11221613 ECcCUBE( C g CVEc2013c5993 JVN#48108258 HP(ProCurve 1700( C g C g CVEc2012c5216 JVN#06251813 g C g CVEc2013c2305 JVN#59503133 g NEC( C C g CVEc2013c0717 JVN#53269985 Welcart C g CVEc2012c5178 JVN#44913777 SNS( C g CVEc2012c1237 JVN#83459967( Janetter C g CVEc2012c1236

31. Copyright©2015JPCERT/CC(All(rights(reserved. nonce- CSRF C Hw r (nonce) r hnonceg c Rc @ g :(IPAF @Web C 4 Web C C C g PhCSRF a —“Most frameworks have builtcin CSRF support such as Joomla, Spring, Struts, Ruby on Rails, .NET and others.” —IPAF h RubyconcRails g (2007 g d) https://www.owasp.org/index.php/CSRF

34. Copyright©2015JPCERT/CC(All(rights(reserved. CSRF Java,(PHP,(Python CSRF g . Java Apache(Tomcat CSRF(Prevention(Filter Apache(Tomcatg C Filter gjc Java OWASP(CSRFGuard C Web C p Java Spring(Security Spring(Framework ServletFilter Java csrfcfilter C Web C p PHP OWASP(CSRFProtector PHPg @Apacheg C c as T PHP csrfcmagic PHP p e Python CSRF(Protection(middleware PythongWeb C C DjangogCSRF Java,(PHP,(Pythonh@TIOBE v a@Web C T g h a http://www.tiobe.com/index.php/content/paperinfo/tpci/index.html (2015 2 g hC,(Java,(C++,(ObjectivecC,(C#,(JavaScript,(PHP,(Pythonc P)

38. Copyright©2015JPCERT/CC(All(rights(reserved. OWASP-CSRFGuard OWASP(CSRFGuard — URL https://www.owasp.org/index.php/CSRFGuard — URL https://www.owasp.org/index.php/CSRFGuard_3_User_Manual " OWASP C gCSRF " CSRF c anonce J " C gnonceg r p JavaScript a r@JavaScript e h e " jar c a T a r@ C g e — Java C gFilter a c C g p@ gnonce @ gnonce J 1. C g classpath g jar( 2. Web C g web.xml 3. Owasp.CsrfGuard.properties 4. Web C JSP(

40. Copyright©2015JPCERT/CC(All(rights(reserved. OWASP-CSRFGuard (2) 2. Web C g web.xml <!– OWASP CSRFGuard Listener --> <listener><listener-class>org.owasp.csrfguard.CsrfGuardServletContextListener</listener-class></listener> <listener><listener-class>org.owasp.csrfguard.CsrfGuardHttpSessionListener</listener-class></listener> <!– --> <context-param> <param-name>Owasp.CsrfGuard.Config</param-name> <param-value>WEB-INF/Owasp.CsrfGuard.properties</param-value> </context-param> <!– OWASP CSRFGuard Filter --> <filter> <filter-name>CSRFGuard</filter-name> <filter-class>org.owasp.csrfguard.CsrfGuardFilter</filter-class> </filter> <!–- CSRF Prevention Filter --> <filter-mapping> <filter-name>CSRFGuard</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <!–- JavaScript Servlet --> <servlet> <servlet-name>JavaScriptServlet</servlet-name> <servlet-class>org.owasp.csrfguard.servlet.JavaScriptServlet</servlet-class> </servlet> <!–- JavaScript Servlet --> <servlet-mapping> <servlet-name>JavaScriptServlet</servlet-name> <url-pattern>/JavaScriptServlet</url-pattern> </servlet-mapping>

41. Copyright©2015JPCERT/CC(All(rights(reserved. OWASP-CSRFGuard (3) 3. WEBcINF/Owasp.CsrfGuard.properties org.owasp.csrfguard.NewTokenLandingPage C C org.owasp.csrfguard.TokenPerPage C Sc C org.owasp.csrfguard.ProtectedMethods CSRF w HTTP org.owasp.csrfguard.UnprotectedMethods CSRF w e HTTP org.owasp.csrfguard.unprotected.* CSRF w e org.owasp.csrfguard.protected.* CSRF w org.owasp.csrfguard.action.* g org.owasp.csrfguard.TokenName C org.owasp.csrfguard.SessionKey C org.owasp.csrfguard.TokenLength C g T org.owasp.csrfguard.PRNG g (SHA1PRNG )(

42. Copyright©2015JPCERT/CC(All(rights(reserved. OWASP-CSRFGuard (4) 4. JSP ghead o hbody g nonce rgJavaScript(OWASP( CSRFGuardgServlet) script <script src="/path/to/webapp/JavaScriptServlet"></script>

44. Copyright©2015JPCERT/CC(All(rights(reserved. OWASP-CSRFProtector OWASP(CSRFProtector — https://www.owasp.org/index.php/CSRFProtector_Project — https://github.com/mebjas/CSRFcProtectorcPHP " PHP cApacheg C " CSRF c anonce a " PHPg ob_start aWeb C wg @ nonce( " C g JPHP g CSRFProtector C Rc @ o nonce # :(http://php.net/manual/ja/function.obcstart.php 1. form gH PHP g p p 2. /libs/config.php a

46. Copyright©2015JPCERT/CC(All(rights(reserved. OWASP-CSRFProtector (2) CSRFP_TOKEN Cookieu C C g C ""(( h"csrfp_token"c T ) noJs JavaScriptg false((nocjs g ) logDirectory "../log“((Rg p a P) failedAuthAction C c C • 0:(HTTP(403(Forbidden) • 1:(GET/POST a ($_POST ) • 2:( C C (errorRedirectionPage) • 3:( C C (customErrorMessage ) • 4: HTTP(500(Internal(Server(Error() • GET: 0(HTTP(403) • POST: 0(HTTP(403) errorRedirectionPage C C g URL ""(( ) customErrorMessage C C ""(( ) jsPath JavaScript gconfig.php wg "../js/csrfprotector.js" jsUrl JavaScript g URL "http://localhost/test/csrf/js/csrfprotector.js" tokenLength C g T 10 ( ) disabledJavascriptMessage JavaScript g C ( :RgWeb hCSRF a JavaScript aP T c J g ) verifyGetFor GET g JURL Farray() ( g )

49. Copyright©2015JPCERT/CC(All(rights(reserved. Spacewalk Spacewalk Red(Hat( Linux g C H Red(Hat( Network(SatellitegOSS URL http://spacewalk.redhat.com/ CVE CVEc2009c4139 URL " http://www.redhat.com/support/errata/RHSAc2011c0879.html " http://securitytracker.com/id?1025674 " https://bugzilla.redhat.com/show_bug.cgi?id=529483 " http://xforce.iss.net/xforce/xfdb/68074 C 1.2.39 C 1.2.39c85 Spacewalkh@ CVEg 1.5 " C 1.5.46c1 " C 1.5.47c1

50. Copyright©2015JPCERT/CC(All(rights(reserved. g h@ C Ctestuser C T a <form method="POST" action="/rhn/users/DeleteUserSubmit.do?uid=2"> <div align="right"> <hr /> <input type="submit" value=" " /> </div> </form>

51. Copyright©2015JPCERT/CC(All(rights(reserved. Spacewalk CSRF C 1.5.47c1 h@ @ g C a " C JSP (348 ) <form method="POST“ action="/rhn/users/DeleteUserSubmit.do?uid=${param.uid}"> <rhn:csrf /> <html:submit styleClass="btn btn-danger"> <bean:message key="deleteuser.jsp.delete"/> </html:submit> </form>

52. Copyright©2015JPCERT/CC(All(rights(reserved. OWASP-CSRFGuard 1. Spacewalkg C C 1. web.xml( 2. jsp javascript g 2. C C Spacewalk C 3. C C Spacewalk(h Java( Pw a r@RR h Java( g CSRF H OWASP( CSRFGuard g p

53. Copyright©2015JPCERT/CC(All(rights(reserved. JSP JavaScript code/webapp/WEBcINF/decorators/layout_c.jsp g OWASP(CSRFGuardgJavaScriptServletg layout_c.jsp h C g C ce a @1 g nag C </div> </div> <script src="/rhn/JavaScriptServlet"></script> </body> </html:html>

54. Copyright©2015JPCERT/CC(All(rights(reserved. C C C gform gaction c@ OWASP_CSRFTOKENc J input T <form method="POST" action="/rhn/users/DeleteUserSubmit.do?uid=3&OWASP_CSRFTOKEN=FW J8-NCD0-0KUN-3BIV-DGLI-U6UU-1XNT-9K4N"> <div align="right"> <hr><input value=" " type="submit"> </div> <input value="FWJ8-NCD0-0KUN-3BIV-DGLI-U6UU-1XNT-9K4N" name="OWASP_CSRFTOKEN" type="hidden"></form>

55. Copyright©2015JPCERT/CC(All(rights(reserved. Spacewalk g C w c@ H Spacewalkg403 C (http://website/errors/403.html) T ※ Tomcatg catalina.out hCSRF T : CsrfGuard analyzing request /rhn/users/DeleteUserSubmit.do 2015/02/20 12:53:32 org.owasp.csrfguard.log.JavaLogger log : potential cross-site request forgery (CSRF) attack thwarted (user:<anonymous>, ip:192.168.80.1, method:POST, uri:/rhn/users/DeleteUserSubmit.do, error:required token is missing from the request)

56. Copyright©2015JPCERT/CC(All(rights(reserved. Spacewalk OWASP CSRFGuard (1) " Spacewalk CSRF h@nonce g c C JSP g (JSP 348 g a ) " OWASP CSRFGuard CSRF h@nonceg JavaScript J r@ C JSP 1 gp Rc # @OWASP CSRFGuardg hJavaScript e h T r@ g " Spacewalk h g403 C H r@OWASP CSRFGuardg a h403 C vJ @Spacewalk JvJ

57. Copyright©2015JPCERT/CC(All(rights(reserved. Spacewalk OWASP CSRFGuard (2) " Spacewalk Struts a sH @OWASP CSRFGuardg g h e # StrutshAction JSPg H @JSP URL o e r@ gJSP H # Tomcatg T JSP as@ T gh T JSP g r@ h T e # g r@ C C Spacewalkg C g @ C aTomcat H " w@ Spacewalk gOWASP CSRFGuardg h@Strutsg a @Spacewalk CSRF c o h g CSRF Rc

59. Copyright©2015JPCERT/CC(All(rights(reserved. PHP CSRF Login(Rebuilder C gwpclogin.php w WordPress URL " https://wordpress.org/plugins/logincrebuilder/ " http://plugins.svn.wordpress.org/logincrebuilder CVE CVEc2014c3882 URL " http://wordpress.org/plugins/logincrebuilder/changelog/ " http://12net.jp/news/n20140623_01.html " http://jvndb.jvn.jp/jvndb/JVNDBc2014c000062 " http://jvn.jp/en/jp/JVN05329568/index.html C 1.1.3( 868421) C 1.2.0( 914619)

61. Copyright©2015JPCERT/CC(All(rights(reserved. form <form method="post" action="/wordpress/wp-admin/options-general.php?page=login-rebuilder- properties"> ( ) <input type="radio" name="properties[response]" id="properties_response_1" value="1“ checked='checked' /> <input type="radio" name="properties[response]" id="properties_response_2" value="2“ /> <input type="radio" name="properties[response]" id="properties_response_3" value="3“ /> ( ) <input type="text" name="properties[keyword]" id="properties_keyword" value="login-keyword" class="regular-text code" /> ( ) <input type="text" name="properties[page]" id="properties_page" value="wprdpress-login.php" class="regular-text code" /> ( ) <textarea name="properties[content]" id="login_page_content" rows="4" cols="60" style="font- family:monospace;" readonly="readonly"></textarea> ( ) <input type="text" name="properties[page_subscriber]" id="properties_page_subscriber" value="wprdpress-login-r.php" class="regular-text code" /> ( ) <input type="radio" name="properties[status]" id="properties_status_0" value="0" checked='checked' /> <input type="radio" name="properties[status]" id="properties_status_1" value="1" /> ( ) <input type="submit" name="submit" value=" " class="button-primary" /> </form>

62. Copyright©2015JPCERT/CC(All(rights(reserved. Login-Rebuilder CSRF WordPressgwp_create_nonce() a e $nonce( @ C g g C(properties[response]) nonce input gname g g (properties[page]g @ s ) nonceg (POST g C g ) $nonce = wp_create_nonce( self::LOGIN_REBUILDER_PROPERTIES_NAME.'@'.$wp_version.'@'.LOGIN_REBUILDER_DB_VERSION); <input type="text" name="properties_<?php echo $nonce; ?>[page]" id="properties_page" value="<?php _e( $this->properties['page'] ); ?>" class="regular-text code" /> if ( isset( $_POST['properties_'.$nonce] ) ) {

63. Copyright©2015JPCERT/CC(All(rights(reserved. Login-Rebuilder CSRF gHTMLginput (properties[page]g ) <input type="text" name="properties_c6808428a6[page]" id="properties_page" value="wprdpress-login.php" class="regular-text code" /> Login(Rebuildergnonce CSRF g h@ input heP ginput gname g c J H " inputgname Fproperties[response] w Fproperties_c6808428a6[response] c esg vJ T " C wPOSTT g C properties_c6808428a6 he h e

64. Copyright©2015JPCERT/CC(All(rights(reserved. :-WordPress nonce WordPresshnonce J T a @ u C " WordPressgnonce C http://codex.wordpress.org/WordPress_Nonces " http://wpdocs.sourceforge.jp/ # nonce( J h nonce(c J o

65. Copyright©2015JPCERT/CC(All(rights(reserved. :-WordPress nonce ( v ) " nonceg (wp_create_nonce ) URL nonce a " nonceg (wp_verify_nonce ) w (die) <?php $nonce= wp_create_nonce ('my-nonce'); > <a href='myplugin.php?_wpnonce=<?php echo $nonce ?>'> <?php $nonce=$_REQUEST['_wpnonce']; if (! wp_verify_nonce($nonce, 'my-nonce') ) die('Security check'); ?>

66. Copyright©2015JPCERT/CC(All(rights(reserved. OWASP-CSRF-Protector- 1. OWASP(CSRF(Protector(g C C Login( Rebuilder( w P 2. Login(Rebuilder(g C C @CSRF( Protector( p vJ Login(Rebuilder(h PHP( Pw a r@RR h PHP( g CSRF H OWASP(CSRF(Protector(g p

67. Copyright©2015JPCERT/CC(All(rights(reserved. OWASP-CSRF-Protector wordpress/ ←WordPress + wp-content/plugins/ ←WordPress + login-rebuilder/ ←Login Rebuilder + languages/ ← ( ) + csrfp/ ←OWASP CSRF Protector + js/ + csrfprotector.js ← JavaScript + index.php + libs/ + csrf/ ←OWASP CSRF Protector + csrfpJsFileBase.php + csrfprotector.php + index.php + config.sample.php ← + index.php + log/ ← + .htaccess + login-rebuilder.php ←Login Rebuilder + uninstall.php WordPress g Login(Rebuilder( C OWASP(CSRF(Protector(

68. Copyright©2015JPCERT/CC(All(rights(reserved. Login-Rebuilder " Login(Rebuilder(g logincrebuilder.php @ OWASP(CSRF(Protector g csrfprotector.php p " gdefine g ( ) define( 'LOGIN_REBUILDER_DOMAIN', 'login-rebuilder' ); define( 'LOGIN_REBUILDER_DB_VERSION_NAME', 'login-rebuilder-db-version' ); define( 'LOGIN_REBUILDER_DB_VERSION', '1.1.3' ); define( 'LOGIN_REBUILDER_PROPERTIES', 'login-rebuilder' ); // :Login Rebuilder define( 'LOGIN_REBUILDER_PLUGIN_DIR', plugin_dir_path( __FILE__ ) ); // :OWASP CSRF Protector require_once( LOGIN_REBUILDER_PLUGIN_DIR . 'csrfp/libs/csrf/csrfprotector.php' ); csrfProtector::init(); $plugin_login_rebuilder = new login_rebuilder(); ( )

69. Copyright©2015JPCERT/CC(All(rights(reserved. CSRF Protector- T HTML h@form nonce T csrfp_tokenc J ginput T <form method="post" action="/wordpress/wp-admin/options- general.php?page=login-rebuilder-properties"> ( ) <input type='hidden' name='csrfp_token' value='559e21982a' /> {"timestamp":1423729288,"HOST":"192.168.80.129","REQUEST_URI":"/wordpre ss/wp-admin/options-general.php?page=login-rebuilder- properties","requestType":"POST", "query":{"properties":{"response":"3","keyword":"CSRF","page":"csrf.php" ,"content":"","page_subscriber":"csrf2.php","status":"1"}, "submit":"u5909u66f4u3092u4fddu5b58"},"cookie":[]} c@ C C J g @WordPress g C (http://website/wordpress/) T T hCSRF g g T

70. Copyright©2015JPCERT/CC(All(rights(reserved. Login-Rebuilder OWASP- CSRF-Protector (1) " Login(Rebuilder CSRF h@nonce g C g Cg c a c Jsg " WordPress hCSRF nonce J a @ Login(Rebuilderhnonce gp a @ h g a " OWASP(CSRF(Protector CSRF h@ C PHP OWASP( CSRF(Protector p o g v 11 g g gp

71. Copyright©2015JPCERT/CC(All(rights(reserved. Login-Rebuilder OWASP- CSRF-Protector (2) " OWASP(CSRF(Protector(hWordPressg gvJe g s H Rc " OWASP(CSRF(Protectorg J v @ h WordPressg C vJ " g h@ HTTP 403 c aWordPressg he g T " Login(Rebuilderg v g eT w@ nonce JvJ Login( Rebuilder CSRF v s CSRF @c a g he ?

74. Copyright©2015JPCERT/CC(All(rights(reserved. (2) " CSRF a " JavauPHP CSRF g C g " CSRF g # Spacewalk OWASPCSRFGuard # Login Rebuilder OWASP CSRF Protector " CSRF g h o h H (c a g he ?) " :(CSRF g @ @ a h

75. Copyright©2015JPCERT/CC(All(rights(reserved. IPA — e g — @Web C OWASP —CrosscSite(Request(Forgery((CSRF)( —CrosscSite(Request(Forgery((CSRF)(Prevention(Cheat(Sheet Wikipedia —( )(Crosscsite(request(forgery https://en.wikipedia.org/wiki/Crosscsite_request_forgery —( )( C https://ja.wikipedia.org/wiki/ C 75

クロスサイトリクエストフォージェリ(CSRF)とその対策手法 (OSC2015Hokkaido版)

JPCERT Coordination Center

Transcript