Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A on cross site request forgeries and breaking into sessions. It's one of the attacks that XSS enables and the attack of the future. For Session, fixations, hijacking, lockout, replay, session riding etc.... 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Getting the user to click the button (and do other things)
Date: February 11, 2008 02:26PM

Gareth Heyes wrote a CSRF chatbox, where he gets around the CSRF tokens by making the user click the save button manually. We've also had cases where JavaScript can be used to intercept user keystrokes and put them inside a file box, so we can get them to upload arbitrary files.

I'm wondering if there are any techniques people have used to both to prevent this type of exploit, and make the exploit more effective. For instance, Gareth's PoC is fairly crude, but I'm sure with a bit more CSS trickery the Save button could be made to look like a normal form element.

It seems to me, however, that this sort of thing would be pretty hard to sort out on the browser level without making iframes distinct from the rest of the page (apart from banning iframes outright, with javascript). Also, making it difficult to predict the position of the button on the website would probably help things out too.

Once again, I apologize if this has been discussed before.

HTML Purifier - Standards Compliant HTML filtering

Options: ReplyQuote
Re: Getting the user to click the button (and do other things)
Posted by: Gareth Heyes
Date: February 11, 2008 03:17PM

Yeah it's pretty crude I agree but it does demonstrate the technique well because it's easy to understand what's going on. I might create another improved version or maybe a different app altogether :)

I've done more research with CSS overlays before which might be of interest, it's possible to integrate other sites quite seamlessly:-

(Now fixed by Versign)
http://www.businessinfo.co.uk/labs/OpenID/overlay_openid.php

(Delicious)
http://www.businessinfo.co.uk/labs/css_attacks/overlay.php

Crouching tiger hidden post :)
http://www.businessinfo.co.uk/labs/css_attacks/holder.php

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: Getting the user to click the button (and do other things)
Posted by: riahmatic
Date: February 11, 2008 03:19PM

i don't see the save button for the chat anymore :(

edit: err nevermind.

edit: you could check parent.location and maybe modify the form randomly if it doens't match yours. or just break out.



Edited 2 time(s). Last edit at 02/11/2008 03:36PM by riahmatic.

Options: ReplyQuote
Re: Getting the user to click the button (and do other things)
Posted by: Anonymous User
Date: February 11, 2008 03:51PM

Gareth and I talked about these issues, and proposed to let the chat users 'crack' --read: type over-- a captcha before entering and setting up a new chatbox through a captcha enabled site. :) so captcha's are simply useless this way.

hehe, awesome isn't it. I think a lot is possible with some creativity.

Options: ReplyQuote


Sorry, only registered users may post in this forum.