Mike Shema (Director of Engineering, Qualys)

LAB TITLE: Sending Out an SOS: Session Origin Security

LAB ABSTRACT:

Cross Site Request Forgery (CSRF) remains a significant threat to web apps and user data. Current countermeasures like request nonces can be cumbersome to deploy correctly and difficult to apply to a site retroactively. Detecting these vulns with automated tools can be equally difficult to do accurately.

The presentation starts with a demonstration of how to model attacks to validate whether different kinds of countermeasures are implemented correctly. It includes a tool and code to show how to detect these vulns with few false positives.

Then we explore how CSRF could be prevented at the HTTP layer by proposing a new header-based policy, similar to the intent of Content Security Policy. This new policy introduces a concept called Session Origin Security (SOS) for cookies and session objects that foils many kinds of CSRF attacks without burdening the site with HTML modifications. The solution focuses on simplicity to make it easier to retrofit on current apps, but requires browsers to support a new client-side security control. We show how this trade-off could be a quicker way to improving security on the web.

ABOUT MIKE SHEMA

Mike Shema writes software to test the security of web sites. When not writing in C++ he turns to books and blog posts to share his knowledge of information security, from network penetration testing to wireless hacking to secure programming. (And includes a generous helping of music, sci-fi, and horror references to keep the topics entertaining.) He has taught hacking classes and presented research at security conferences around the world. His latest book is “Hacking Web Applications”.