Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A on cross site request forgeries and breaking into sessions. It's one of the attacks that XSS enables and the attack of the future. For Session, fixations, hijacking, lockout, replay, session riding etc.... 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
idea for a new type of xsrf
Posted by: teen
Date: January 27, 2009 09:24AM

if a website used an image to display any sensitive information, would it be possible to load the image into a html 5 canvas tag, get all the data from it and submit it your server? also, what if you used the canvas tag to pull in a form from another server, what would happen? would it be possible to convert the data back into text and manipulate it via js?

thanks

Options: ReplyQuote
Re: idea for a new type of xsrf
Posted by: clayfox
Date: January 27, 2009 02:30PM

I haven't used the canvas tag, but the important thing that stops these types of CSRF attacks is the Same-Origin Policy implemented by the browsers.

The Same-Origin Policy states (paraphrased): A response from domain A to a request from domain B cannot be parsed by domain B.

http://en.wikipedia.org/wiki/Same_origin_policy

This is a very necessary safeguard against just the type of attack you propose.

If you were to host this page in the same domain as the page you were attacking, then the Same-Origin Policy would not restrict you from using js to parse the response.

As new tags come out we must test them for these specific faults as well as new XSS vectors. Good thinking, and I would be interested to hear if there are any loopholes that are found in the implementation of the Same-Origin Policy.

-clayfox

Options: ReplyQuote
Re: idea for a new type of xsrf
Posted by: barbarianbob
Date: January 27, 2009 03:29PM

Wow. It actually works.
This file grabs the image off google.com through the client. From there you can save the source of the image via XHR.
hxxp://reco.rd13.net/bullpoop/csrfImage.php

Options: ReplyQuote
Re: idea for a new type of xsrf
Posted by: teen
Date: January 27, 2009 06:59PM

i tried modifying your js and a few things. if you call alert(ctx.getImageData()), you will get the cross domain error.

[Exception... "Security error" code: "1000" nsresult: "0x805303e8 (NS_ERROR_DOM_SECURITY_ERR)" location: "file:///C:/Documents%20and%20Settings/shawn/Desktop/test.html Line: 65"] source=ctx.getImageData(); code=1000

Options: ReplyQuote
Re: idea for a new type of xsrf
Posted by: holiman
Date: January 28, 2009 01:37PM

Nice idea, I tested it too. It seems, however, browsing the source code at http://mxr.mozilla.org/mozilla/source/content/canvas/src/nsCanvasRenderingContext2D.cpp , it seems that putting an image on the canvas puts it into readonly mode. But I am not sure exactly how it works, there may still be some way around it.

Testing gives me security errors no matter where the image comes from - it does not even have to reside off-domain.

Options: ReplyQuote
Re: idea for a new type of xsrf
Posted by: barbarianbob
Date: January 28, 2009 02:45PM

Yeah, looks like I spoke too soon.
whatwg says there's a flag that is set to false when you work with offsite images. If the flag is true, you can grab the imageData, if not you get a security error.

http://www.whatwg.org/specs/web-apps/current-work/multipage/the-canvas-element.html#security-with-canvas-elements



Edited 1 time(s). Last edit at 01/28/2009 02:45PM by barbarianbob.

Options: ReplyQuote
Re: idea for a new type of xsrf
Posted by: holiman
Date: January 29, 2009 04:56AM

Also, looking at HTMLCanvasElement line 131, it says about write-only-flag :
"We set this when script paints an image from a different origin."

http://mxr.mozilla.org/mozilla/source/content/html/content/src/nsHTMLCanvasElement.cpp#129

So, they have thought about that. But maybe there are other ways to fool it :)

Also, my mistake when I got all security errors was when running as file, instead of running from localhost. Beginners mistake :)

Options: ReplyQuote


Sorry, only registered users may post in this forum.