Sending Out An SOS: Session Origin Security presented at HITBSecConf Malaysia 2013

by Mike Shema,

Summary : Cross Site Request Forgery (CSRF) remains a significant threat to web apps and user data. Current countermeasures like request nonces can be cumbersome to deploy correctly and difficult to apply to a site retroactively. Detecting these vulns with automated tools can be equally difficult to do accurately.
The presentation starts with a demonstration of how to model attacks to validate whether different kinds of countermeasures are implemented correctly. It includes a tool and code to show how to detect these vulns with few false positives.
Then we explore how CSRF could be prevented at the HTTP layer by proposing a new header-based policy, similar to the intent of Content Security Policy. This new policy introduces a concept called Session Origin Security (SOS) for cookies and session objects that foils many kinds of CSRF attacks without burdening the site with HTML modifications. The solution focuses on simplicity to make it easier to retrofit on current apps, but requires browsers to support a new client-side security control. We show how this trade-off could be a quicker way to improving security on the web.