クロスサイトリクエストフォージェリ(csrf)とその対策手法 (osc2015hokkaido版)

.K31);I.+3;@,�2*I(CSRF)��YxVb

JPCERT/CC( C([email protected])

OSC2015Hokkaido

Copyright©2015JPCERT/CC(All(rights(reserved.

��

http://www.tomo.gr.jp/root/e9706.html

JPCERT/CCC C

C,( C……

rao

2


. ��

. : / :

MN��"�w4-FI9(Yx�h�sP�j!|%��"|§

3


. ��

4


�¢�OSC�u¿³ (4D=�$R��)

5

•OSC2014@Fukuoka

•Lessons((to(be)(Learned(from(Handling(OpenSSL Vulnerabilities

•OSC2013@Kyoto• g a Java C

•OSC2012@Fukuoka•Android C eAndroid g rg

•OSC2011@Nagoya• C (JAVA )

•OSC2010@Hokkaido•He g C C C

•OSC2009@Fukuoka• C

•OSC2008@Tokyo/Spring• C

•OSC2007@Fukuoka• C

•OSC2007@Niigata• P c

•OSC2007@Kansai• gR o cR w

•OSC2005@Tokyo/Fall• g p


JPCERT/CC-4-F'0�:(L/�0L9L8

6

www.jpcert.or.jp/securecoding/


slideshare ��¸e��4D=0L9L8��

7

www.slideshare.net/jpcert_securecoding/presentations


4-F'0�:(L/35L6�<

8

CMU/SEI(g the(CERT(Secure(Coding Initiative

v C C Chttps://www.securecoding.cert.org/

, 5 Ta o .

Copyright©2015JPCERT/CC(All(rights(reserved.9

CERT-C-0�:(L/35L6�<

CERT(C( C Chttps://www.jpcert.or.jp/research/materials.html#secure

JPCERT/CC( !!

https://www.jpcert.or.jp/sccrules/


CERT-Oracle-Java-0�:(L/35L6�<

OSC2011@Nagoya( aohttp://www.ospn.jp/osc2011cnagoya/pdf/osc2011nagoyacJPCERT_CC.pdf

JPCERT/CC( !!https://www.jpcert.or.jp/javacrules/


0�:(L/35L6�<(C++,-Perl,-Android)

“under(development”( )


0�:(L/35L6�<�y_T¹�O!C C

g aP ra o—Java, Android,(C,(C++,(……

— g g @— g @—Tw s…

12

gH @S P T !


NM�tv

! -‐‑‒ ( C ch! -‐‑‒ (! -‐‑‒ (! -‐‑‒ ( apvJ

! / / T g! ) T g

!ocr! ed

13


1.CSRF(.K31);I.+3;@,�2*I)��


CSRFÂ·m�] ">F�3�S

15


CSRFÂ·m�] ">F�3�S


CSRF(Cross@Site@Request@Forgery)��

IPAF Web C @ 4c1

wg a@ gH dJ p e h@

gH a oJ H o RgvJe h@ gH v @

e T w a oJ H oIPAF e g 1.6(CSRF(v


`��X_@,�E��f(1)

18

GET(form.html

<form>……..

p

C w w aC


`��X_@,�E��f(2)

19

PUT(……..

<html>……..

C a

p

e o…

e o…


CSRFª¤(1)

20

GET(xxxx.html

<form>……..C w w aC

e


CSRFª¤(2)

21

PUT(……..

<html>……..

e

!!


CSRFÂ·m�¡g�#�WU�I3.a e T w

• Web a v @ h e• i@ H @ va e T w s

• H @ v a eT w s

22

��T

�µ�´��^{�dR

°R}�!!xxxxxxxx

l¦��i��dR

CSRF


Â·mS�$º (1)

23

https://cve.mitre.org/cve/cve.html https://nvd.nist.gov/https://web.nvd.nist.gov/view/vuln/search


Â·mS�$º (2)

24

https://jvn.jp/http://www.osvdb.org/


CSRFÂ·mS�2001 w2014 g CVEg (Description)

FCSRF sg@ h1039• CVE h a g h

T a e r@dg TCSRF P T a h we

• CVEg g ce foo.phpuBarServleted T @PHPuJava T a csH

JVNg C wh39" PHP:(13 @Perl:(2 @Ruby:(1 ed


CSRFÂ·mS� (JVN-µ¶�� ¨À)JVN�® 5);J CVE�®

JVN#32631078 gASUS( LAN( C C g CVEc2014c7270

JVN#94409737 WordPress( MailPoetNewsletters( C g CVEc2014c3907

JVN#42511610 acmailer C g CVEc2014c3896

JVN#36259412 Web C g CVEc2014c3881

JVN#05329568 WordPress( Login(rebuilder( C g CVEc2014c3882

JVN#13313061( ecStudio( C C g CVEc2014c1990

JVN#50943964 phpMyFAQ C g CVEc2014c0813

JVN#11221613 ECcCUBE( C g CVEc2013c5993

JVN#48108258 HP(ProCurve 1700( C g C g CVEc2012c5216

JVN#06251813 g C g CVEc2013c2305

JVN#59503133 gNEC( C C g CVEc2013c0717

JVN#53269985 Welcart C g CVEc2012c5178

JVN#44913777 SNS( C g CVEc2012c1237

JVN#83459967( Janetter C g CVEc2012c1236


2. CSRF(.K31);I.+3;@,�2*I)Yx


`��#

28

GET(

form.html

<form>……..

p

C w w aC

PUT(……..

<html>……..

C a

p

eo…

e o

…


CSRFª¤$q"WU

29

GET(xxxx.html

<form>……..C w w a C

e

PUT(……..

<html>……..

e

!!

CSRFh@P

sg.


CSRFYx�'):('

30

CSRF h@P sg.

g c Ti@ C

!

C ge@ ea iv !!


nonce-$��CSRFYxC Hw r²r(nonce) r

hnonceg¥�cQ±Rc @ g

:(IPAF @Web C 4

Web C C C g PhCSRFa

—“Most frameworks have builtcin CSRF support such as

Joomla, Spring, Struts, Ruby on Rails, .NET and others.”

—IPAF h RubyconcRailsg (2007 g d)

https://www.owasp.org/index.php/CSRF


3. CSRF(.K31);I.+3;@,�2*I)YxH)AHI


CSRFYxH)AHI��

C gnonce r p@ C gnonce edCSRF g rg

• OWASP(CSRFGuarded J Jsgw• dJ J peg?• Web C C C T a

sgc Jg?• sgew H

te ?


CSRFYxH)AHI��Java,(PHP,(Python CSRF g .

z� ~½ ¾k

JavaApache(Tomcat

CSRF(Prevention(FilterApache(Tomcatg C Filter gjc

Java OWASP(CSRFGuard C Web C pJava Spring(Security Spring(Framework ServletFilter

Java csrfcfilter C Web C pPHP OWASP(CSRFProtector PHPg @Apacheg C c as TPHP csrfcmagic PHP p ePython CSRF(Protection(middleware PythongWeb C C DjangogCSRF

Java,(PHP,(Pythonh@TIOBE v a@WebC T g h a

http://www.tiobe.com/index.php/content/paperinfo/tpci/index.html

(2015 2 g hC,(Java,(C++,(ObjectivecC,(C#,(JavaScript,(PHP,(Pythonc P)


CSRFYxH)AHI�d¯'BK�7Java(g— C C (tomcat)g c a—Web C C g web g

PHPg—PHPgob_start() a c a

35


�YxH)AHI�¾k��Z

36

Apache(Tomcat(CSRF(Prevention(Filter

OWASP(CSRFGuard

Spring(Security

csrfcfilter

OWASP(CSRFProtector

csrfcmagic

Django CSRF(Protection(middleware



37


OWASP(CSRFGuard

Spring(Security

csrfcfilter

OWASP(CSRFProtector

csrfcmagic



OWASP-CSRFGuard¾kOWASP(CSRFGuard

— URL https://www.owasp.org/index.php/CSRFGuard

— URL https://www.owasp.org/index.php/CSRFGuard_3_User_Manual

" OWASP C gCSRF" CSRF c anonce J" C gnonceg r p JavaScript a r@JavaScript e

h e" jar c a T a r@ C g e

— Java C gFilter a c C g p@gnonce @ gnonce J

1. C g classpath g jar(

2. Web C g web.xml

3. Owasp.CsrfGuard.properties

4. Web C JSP(


OWASP-CSRFGuard«gZb(1)

1. C g classpath Owasp.CsrfGuard.jar(

# iWeb C g /WEBcINF/lib(



2. Web C g web.xml

<!– OWASP CSRFGuard�Listener�2A --><listener><listener-class>org.owasp.csrfguard.CsrfGuardServletContextListener</listener-class></listener><listener><listener-class>org.owasp.csrfguard.CsrfGuardHttpSessionListener</listener-class></listener><!– B1�� 41 :�!��D6 --><context-param>

<param-name>Owasp.CsrfGuard.Config</param-name><param-value>WEB-INF/Owasp.CsrfGuard.properties</param-value>

</context-param><!– OWASP CSRFGuard�Filter�2A --><filter>

<filter-name>CSRFGuard</filter-name><filter-class>org.owasp.csrfguard.CsrfGuardFilter</filter-class>

</filter><!–- 2A��CSRF Prevention Filter�J;>-�B1 --><filter-mapping>

<filter-name>CSRFGuard</filter-name> <url-pattern>/*</url-pattern>

</filter-mapping><!–- �!��!� 5%�JavaScript�Servlet�2A --><servlet>

<servlet-name>JavaScriptServlet</servlet-name><servlet-class>org.owasp.csrfguard.servlet.JavaScriptServlet</servlet-class>

</servlet><!–- JavaScript�Servlet��41 --><servlet-mapping>

<servlet-name>JavaScriptServlet</servlet-name><url-pattern>/JavaScriptServlet</url-pattern>

</servlet-mapping>



3. WEBcINF/Owasp.CsrfGuard.properties

o[-� �aorg.owasp.csrfguard.NewTokenLandingPage C Corg.owasp.csrfguard.TokenPerPage C Sc Corg.owasp.csrfguard.ProtectedMethods CSRF w HTTP

org.owasp.csrfguard.UnprotectedMethods CSRF w e HTTP

org.owasp.csrfguard.unprotected.* CSRF w eorg.owasp.csrfguard.protected.* CSRF worg.owasp.csrfguard.action.* gorg.owasp.csrfguard.TokenName Corg.owasp.csrfguard.SessionKey Corg.owasp.csrfguard.TokenLength C g Torg.owasp.csrfguard.PRNG g (SHA1PRNG )(



4. JSP ghead o hbody gnonce rgJavaScript(OWASP( CSRFGuardgServlet)

script

<script src="/path/to/webapp/JavaScriptServlet"></script>



43


OWASP(CSRFGuard

Spring(Security

csrfcfilter

OWASP(CSRFProtector

csrfcmagic



OWASP-CSRFProtector¾kOWASP(CSRFProtector

— https://www.owasp.org/index.php/CSRFProtector_Project

— https://github.com/mebjas/CSRFcProtectorcPHP

" PHP cApacheg C" CSRF c anonce a

" PHPg ob_start aWeb C wg @nonce(

" C g JPHP g CSRFProtector CRc @ o nonce

# :(http://php.net/manual/ja/function.obcstart.php

1. form gH PHP g p p2. /libs/config.php a


OWASP-CSRFProtector«gZb(1)

1. form gH PHP gp p@

2. /libs/config.php ah g

include_once __DIR__ .'/libs/csrf/csrfprotector.php';csrfProtector::init();


OWASP-CSRFProtector«gZb(2)

o[-� �a :@,J; CSRFP_TOKEN Cookieu C C g C ""(( h"csrfp_token"c T

)

noJs JavaScriptg false((nocjs g )

logDirectory "../log“((Rg pa P)

failedAuthAction C cC

• 0:(HTTP(403(Forbidden)• 1:(GET/POST a ($_POST

)• 2:( C C (errorRedirectionPage)• 3:( C C (customErrorMessage

)

• 4: HTTP(500(Internal(Server(Error()

• GET: 0(HTTP(403)• POST: 0(HTTP(403)

errorRedirectionPage C C g URL ""(( )

customErrorMessage C C ""(( )

jsPath JavaScript gconfig.php wg "../js/csrfprotector.js"

jsUrl JavaScript g URL "http://localhost/test/csrf/js/csrfprotector.js"

tokenLength C g T 10 ( )

disabledJavascriptMessage JavaScript g C ( :RgWeb hCSRF aJavaScript aP T c J

g )

verifyGetFor GET g JURL Farray() ( g )


4. CSRFYxH)AHI$«g��


4.1-JAVA¬:-SPACEWALK

48


Spacewalk�.K31);I.+3;@,�2*I

Spacewalk

Red(Hat( Linux g C H Red(Hat(Network(SatellitegOSS

URL http://spacewalk.redhat.com/

CVE CVEc2009c4139

URL

" http://www.redhat.com/support/errata/RHSAc2011c0879.html

" http://securitytracker.com/id?1025674

" https://bugzilla.redhat.com/show_bug.cgi?id=529483

" http://xforce.iss.net/xforce/xfdb/68074

C 1.2.39

C 1.2.39c85

Spacewalkh@ CVEg 1.5

" C 1.5.46c1

" C 1.5.47c1


Â·�0�<�C)L;

g h@ C Ctestuser CT a

<form method="POST" action="/rhn/users/DeleteUserSubmit.do?uid=2"><div align="right">

<hr /><input type="submit" value="�!�!�(K" />

</div></form>


Spacewalk��CSRF�©p$��

C 1.5.47c1 h@ @g C a

" C JSP (348 )

<form method="POST“action="/rhn/users/DeleteUserSubmit.do?uid=${param.uid}">

<rhn:csrf /><html:submit styleClass="btn btn-danger">

<bean:message key="deleteuser.jsp.delete"/></html:submit>

</form>


OWASP-CSRFGuard�«g

1. Spacewalkg C C1. web.xml(

2. jsp javascript g2. C C Spacewalk C3. C C

Spacewalk(h Java( Pw a r@RR hJava( g CSRF H OWASP(CSRFGuard g p

JSP@&)J��JavaScript�¼�ÁX

code/webapp/WEBcINF/decorators/layout_c.jsp gOWASP(CSRFGuardgJavaScriptServletglayout_c.jsp h C g C ce a @1g nag C

</div></div>

<script src="/rhn/JavaScriptServlet"></script></body>

</html:html>


H)AHI«g��

C C C gform gaction c@OWASP_CSRFTOKENc J input T

<form method="POST" action="/rhn/users/DeleteUserSubmit.do?uid=3&OWASP_CSRFTOKEN=FWJ8-NCD0-0KUN-3BIV-DGLI-U6UU-1XNT-9K4N">

<div align="right"><hr><input value="�!�!�(K" type="submit">

</div><input value="FWJ8-NCD0-0KUN-3BIV-DGLI-U6UU-1XNT-9K4N" name="OWASP_CSRFTOKEN" type="hidden"></form>


H)AHI«g��

Spacewalk g C w c@H Spacewalkg403 C

(http://website/errors/403.html) T

※ Tomcatg catalina.out hCSRF T3.: CsrfGuard analyzing request /rhn/users/DeleteUserSubmit.do2015/02/20 12:53:32 org.owasp.csrfguard.log.JavaLogger logF,: potential cross-site request forgery (CSRF) attack thwarted (user:<anonymous>, ip:192.168.80.1, method:POST, uri:/rhn/users/DeleteUserSubmit.do, error:required token is missing from the request)


Spacewalk��OWASP CSRFGuard«g��£(1)

" Spacewalk CSRF h@nonce g cC JSP g (JSP 348 g a )

" OWASP CSRFGuard CSRF h@nonceg JavaScript

J r@ C JSP 1 gpRc

# @OWASP CSRFGuardg hJavaScript eh T r@ g

" Spacewalk h g403 C H r@OWASP CSRFGuardga h403 C vJ @Spacewalk

JvJ


Spacewalk��OWASP CSRFGuard«g��£(2)

" Spacewalk Struts a sH @OWASP CSRFGuardgg h e

# StrutshAction JSPg H @JSP URL

o e r@ gJSP H# Tomcatg T JSP as@

T gh T JSP g r@h T e

# g r@ C C Spacewalkg C g@ C aTomcat H

" w@ Spacewalk gOWASP CSRFGuardg h@Strutsga @Spacewalk CSRF c o h

g CSRF Rc


4.2-PHP¬:-LOGIN-REBUILDER

58


PHP�d¯�#��CSRFYxH)AHI�«g

Login(Rebuilder

C gwpclogin.php wWordPress

URL

" https://wordpress.org/plugins/logincrebuilder/

" http://plugins.svn.wordpress.org/logincrebuilder

CVE CVEc2014c3882

URL

" http://wordpress.org/plugins/logincrebuilder/changelog/

" http://12net.jp/news/n20140623_01.html

" http://jvndb.jvn.jp/jvndb/JVNDBc2014c000062

" http://jvn.jp/en/jp/JVN05329568/index.html

C 1.1.3( 868421)

C 1.2.0( 914619)


Â·�@,�E�Wn

WordPress gLogin(Rebuilderg C (F →F C )

http://website/wordpress/wpcadmin/optionscgeneral.php?page=logincrebuildercproperties

e Ch her@ H Rc w

T a


form5/\�\�<form method="post" action="/wordpress/wp-admin/options-general.php?page=login-rebuilder-properties">(=<)<input type="radio" name="properties[response]" id="properties_response_1" value="1“ checked='checked' /><input type="radio" name="properties[response]" id="properties_response_2" value="2“ /><input type="radio" name="properties[response]" id="properties_response_3" value="3“ />(=<)<input type="text" name="properties[keyword]" id="properties_keyword" value="login-keyword" class="regular-text code" />(=<)<input type="text" name="properties[page]" id="properties_page" value="wprdpress-login.php" class="regular-text code" />(=<)<textarea name="properties[content]" id="login_page_content" rows="4" cols="60" style="font-family:monospace;" readonly="readonly"></textarea>(=<)<input type="text" name="properties[page_subscriber]" id="properties_page_subscriber" value="wprdpress-login-r.php" class="regular-text code" />(=<)<input type="radio" name="properties[status]" id="properties_status_0" value="0" checked='checked' /><input type="radio" name="properties[status]" id="properties_status_1" value="1" />(=<)<input type="submit" name="submit" value="/7$0" class="button-primary" /></form>


Login-Rebuilder�CSRF©p?�2GL�C)L;WordPressgwp_create_nonce() a e $nonce( @ Cg g C(properties[response])

nonce

input gname g g (properties[page]g @ s )

nonceg (POST g C g )

$nonce = wp_create_nonce(self::LOGIN_REBUILDER_PROPERTIES_NAME.'@'.$wp_version.'@'.LOGIN_REBUILDER_DB_VERSION);

<input type="text" name="properties_<?php echo $nonce; ?>[page]" id="properties_page" value="<?php _e( $this->properties['page'] ); ?>" class="regular-text code" />

if ( isset( $_POST['properties_'.$nonce] ) ) {


Login-Rebuilder�CSRF©p?�2GL�C)L;

gHTMLginput (properties[page]g )

<input type="text" name="properties_c6808428a6[page]" id="properties_page" value="wprdpress-login.php" class="regular-text code" />

Login(Rebuildergnonce CSRF g h@input heP ginput gname g

c J H

" inputgname Fproperties[response] wFproperties_c6808428a6[response] c esg vJ

T" C wPOSTT g C properties_c6808428a6 he h

e


��:-WordPressNc�nonce$j!»�]r

WordPresshnonce J T a @u C

" WordPressgnonce Chttp://codex.wordpress.org/WordPress_Nonces

" http://wpdocs.sourceforge.jp/

# nonce( J h nonce(c Jo


��:-WordPressNc�nonce$j!»�]r

( v )

" nonceg (wp_create_nonce ) URL nonce a

" nonceg (wp_verify_nonce ) w (die)

<?php $nonce= wp_create_nonce ('my-nonce'); ><a href='myplugin.php?_wpnonce=<?php echo $nonce ?>'>

<?php$nonce=$_REQUEST['_wpnonce'];if (! wp_verify_nonce($nonce, 'my-nonce') )die('Security check');

?>


OWASP-CSRF-Protector-�«g

1. OWASP(CSRF(Protector(g C C Login(

Rebuilder( w P2. Login(Rebuilder(g C C @CSRF(

Protector( p vJ

Login(Rebuilder(h PHP( Pw a r@RRh PHP( g CSRF H

OWASP(CSRF(Protector(g p


OWASP-CSRF-Protector�o�

wordpress/ ←WordPress ��!��+ wp-content/plugins/ ←WordPress�� + login-rebuilder/ ←Login Rebuilder ��!��+ languages/ ←AC�� ("G=<)+ csrfp/ ←OWASP CSRF ProtectorB?��+ js/+ csrfprotector.js ←�!� 5%;�JavaScript+ index.php

+ libs/+ csrf/ ←OWASP CSRF Protector9#��+ csrfpJsFileBase.php+ csrfprotector.php+ index.php

+ config.sample.php ←B1�� + index.php

+ log/ ←��&)��+ .htaccess

+ login-rebuilder.php ←Login Rebuilder9#+ uninstall.php

WordPress g Login(Rebuilder(

C OWASP(CSRF(Protector(


Login-RebuilderNc�¬�

" Login(Rebuilder(g logincrebuilder.php @OWASP(CSRF(Protector g csrfprotector.php p

" gdefine g(=<)define( 'LOGIN_REBUILDER_DOMAIN', 'login-rebuilder' );define( 'LOGIN_REBUILDER_DB_VERSION_NAME', 'login-rebuilder-db-version' );define( 'LOGIN_REBUILDER_DB_VERSION', '1.1.3' );define( 'LOGIN_REBUILDER_PROPERTIES', 'login-rebuilder' );

// I*:Login Rebuilder ��!��1@define( 'LOGIN_REBUILDER_PLUGIN_DIR', plugin_dir_path( __FILE__ ) );// I*:OWASP CSRF Protector�E�H��'8+require_once( LOGIN_REBUILDER_PLUGIN_DIR . 'csrfp/libs/csrf/csrfprotector.php' );csrfProtector::init();

$plugin_login_rebuilder = new login_rebuilder();(=<)


CSRF Protector-«g��

T HTML h@form nonce Tcsrfp_tokenc J ginput T

<form method="post" action="/wordpress/wp-admin/options-general.php?page=login-rebuilder-properties">(=<)<input type='hidden' name='csrfp_token' value='559e21982a' />

{"timestamp":1423729288,"HOST":"192.168.80.129","REQUEST_URI":"\/wordpress\/wp-admin\/options-general.php?page=login-rebuilder-properties","requestType":"POST","query":{"properties":{"response":"3","keyword":"CSRF","page":"csrf.php","content":"","page_subscriber":"csrf2.php","status":"1"},"submit":"\u5909\u66f4\u3092\u4fdd\u5b58"},"cookie":[]}

c@ C C J g@WordPress g C (http://website/wordpress/)T

T hCSRF gg T


Login-Rebuilder��OWASP- CSRF-Protector«g��£(1)

" Login(Rebuilder CSRF h@nonceg C g Cg c a c Jsg" WordPress hCSRF nonce J

a @ Login(Rebuilderhnonce gp a @h g a

" OWASP(CSRF(Protector CSRF h@ CPHP OWASP( CSRF(Protector p og v 11 g g gp


Login-Rebuilder��OWASP- CSRF-Protector«g��£(2)

" OWASP(CSRF(Protector(hWordPressg gvJeg s H Rc

" OWASP(CSRF(Protectorg J v @ hWordPressg C vJ

" g h@ HTTP 403 caWordPressg he gT

" Login(Rebuilderg v g eT w@nonce JvJ Login( Rebuilder

CSRF v s CSRF @c ag he ?


5. ��


��(1)

"CSRF( C)c J g c g

e

" g"" Web C C gCSRF

" CSRF


��(2)

" CSRF a" JavauPHP CSRF g C

g" CSRF g

# Spacewalk OWASPCSRFGuard

# Login Rebuilder OWASPCSRFProtector

" CSRF g h o hH (c a g he ?)

" :(CSRF g @ @ ah


��w

IPA— e g— @Web C

OWASP—CrosscSite(Request(Forgery((CSRF)(

—CrosscSite(Request(Forgery((CSRF)(Prevention(Cheat(Sheet

Wikipedia—( )(Crosscsite(request(forgery

https://en.wikipedia.org/wiki/Crosscsite_request_forgery

—( )( Chttps://ja.wikipedia.org/wiki/ C

75


. C C C: :

C: : :

hR w dJ E: : :

クロスサイトリクエストフォージェリ(csrf)とその対策手法 (osc2015hokkaido版)

Internet