Hi Ha.ckers,

i came up with this idea of brute forcing csrf token using css history hack and want to get your opinions on it. currently it works ok to brute force tokens of 5 chars length, might be feasible in future for longer tokens - [securethoughts.com]

-
Inferno
SecureThoughts.com

I don't think that will work for nonces, but for persistent tokens that could be a great idea. One problem with the usual brute force techniques is that your invalid attempts get logged. This would be a way around that since it wouldn't hit the site you are attacking, just the user.

This wouldn't work for nonces, because they will only show up once they are used.

-clayfox

For nonces, it depends. Many systems allow older nonces in the active user session to support back and forward browser buttons. If that is the case, then yes, this technique would work. Otherwise, no.

-
Inferno
SecureThoughts.com

Nonce is the combination the words "Number" and "Once". A nonce by definition is only used once, otherwise it is generally referred to as a token or key. Systems that allow that sort of behavior are using tokens, not nonces.

-clayfox

sirdarckcat demo'd a better technique just using CSS no javascript:-
[sla.ckers.org]

------------------------------------------------------------------------------------------------------------

(Å=[],[µ=!Å+Å][µ[È=++Å+Å+Å]+({}+Å)[Ç=!!Å+µ,ª=Ç[Å]+Ç[+!Å],Å]+ª])()[µ[Å]+µ[Å+Å]+Ç[È]+ª](Å)

labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [www.businessinfo.co.uk]

@Gareth, thanks for pointing this ! using CSS PoC is better than my javascript, and works even when someone completely disables javascript :). can you please share the source code for this php page - [sla.ckers.org]. can you please put a download link here or send to my email id Inferno {at} SecureThoughts.com

-
Inferno
SecureThoughts.com

[www.businessinfo.co.uk]

------------------------------------------------------------------------------------------------------------

(Å=[],[µ=!Å+Å][µ[È=++Å+Å+Å]+({}+Å)[Ç=!!Å+µ,ª=Ç[Å]+Ç[+!Å],Å]+ª])()[µ[Å]+µ[Å+Å]+Ç[È]+ª](Å)

labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [www.businessinfo.co.uk]

@Gareth,

I think you are missing the point in my attack. Sirdarckcat's work is on a entirely different side and it requires active css injection in the form page. My technique is based on css history hack by Jeremiah and it does not require any injection.

Thanks,
Inferno

-
Inferno
SecureThoughts.com

@Inferno

I think you are misunderstanding my point, using CSS selectors it's possible to accomplish the same thing and I posted the technique a while ago:-

[www.businessinfo.co.uk]

Sirdarckcat took it a stage further by using CSS to examine the values.

------------------------------------------------------------------------------------------------------------

(Å=[],[µ=!Å+Å][µ[È=++Å+Å+Å]+({}+Å)[Ç=!!Å+µ,ª=Ç[Å]+Ç[+!Å],Å]+ª])()[µ[Å]+µ[Å+Å]+Ç[È]+ª](Å)

labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [www.businessinfo.co.uk]

Gareth,

I am getting your point now, with the last PoC it was a little unclear. So, yes, my PoC can be improved to be pure CSS based without js.

However, i still feel that pure CSS attack might be more problematic because your html file size will be very long, since it will contain all the brute force values. a base16 5 length long token will have key space 1048576. Any way to overcome this ?

But still pure CSS is very very innovative approach found by sirdarckcat and you.

-
Inferno
SecureThoughts.com

@Inferno

Yeah sirdarckcat and Stefano Di Paola found you could link stylesheets together to brute force the key faster by reading pairs of keys using the @import command

------------------------------------------------------------------------------------------------------------

(Å=[],[µ=!Å+Å][µ[È=++Å+Å+Å]+({}+Å)[Ç=!!Å+µ,ª=Ç[Å]+Ç[+!Å],Å]+ª])()[µ[Å]+µ[Å+Å]+Ç[È]+ª](Å)

labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [www.businessinfo.co.uk]

[eaea.sirdarckcat.net]
[eaea.sirdarckcat.net]
[eaea.sirdarckcat.net]
[eaea.sirdarckcat.net]
etc...
[p42.us]

--------------------------------
irc://irc.irchighway.net/#slackers --> sla.ckers.org IRC channel
[sirdarckcat.blogspot.com] [www.sirdarckcat.net] [foro.elhacker.net] [twitter.com]

Have to agree that SDC and Gaz came with these things.

btw if you research something don't you Google for it FIRST? This way you don't indulge into stuff that has been researched already, saves you a lot of time to research other things.

@sirdarckcat - thanks for improved PoCs with pure CSS.

@rvdh, i do google things before writing them up. believe me or not, the concept was not discussed anywhere else before. people knew the history hack to check visited websites only. If you still don't believe, try to find this PoC in google - [eaea.sirdarckcat.net].

What i should have done is to improve my PoC which currently uses a combination of css and js(old one). My PoC could be much better developed using Sirdarckcat's and Gareth's techniques using pure CSS and i totally agree.

@sirdarckcat - if you have some time, can you please show us the way to link multiple spreedsheets together which Gareth pointed could brute force keys faster. Can you please try to see how much time it takes on 5 or 6 digit base 16 keyspace. I wanted to add your reference in my post, alongwith your improved PoC and some time readings.

-
Inferno
SecureThoughts.com

[www.heise.de]

In Germany you're a star already ;)

---
g:0in~/*for another*/~alert(!!1)
(Å='',[Ç=!(µ=!Å+Å)+{}][Ç[ª=µ[++Å]+µ[Å-Å],È=Å-~Å]+Ç[È+È]+ª])()[Ç[Å]+Ç[Å+Å]+µ[È]+ª](Å)
me || PHPIDS || Twitter || <malicious></markup>

3x.thanks mario for posting

-
Inferno
SecureThoughts.com

Actually you are right almost all this CSS stuff are either on the talk we gave at bluehat (that wasnt very famous), and we later published the ppt, or in some google group, or I dont remember haha.. I posted some of this stuff in my blog, and gareth on his, and thornmaker also... We'll probably do a whitepaper or something like that.. just after this crazy university/start-working/talk/ppt/talk/etc.. things finish happening.. Im presenting at blackhat next week and 2 weeks after that on xcon, and well.. after that I will finally have time (and a motivation to start writing about all this and other things I left unfinished last year).

I think that all xss filters are blocking just javascript :) and that's cool since in some time we will start seeing how CSS-based attacks start appearing.

The PoC that is not on google (urlbruteforce.php) is not on google because it was distributed on a .zip, that was made by gareth last year or something like that.. Sadly google doesn't index zip files (yet).

The linking multiple stylesheets together was about using @import rules that where conditioned to the result of another rule.. This is used on the first version of the attribute reader that can be found on p42.us/css

The idea is.. having a:
<style>
@import "/?fetch-first-rules";
</style>
and fetch-first-rules has:

condition1{
background:url(/?b=condition1);
}
condition2{
background:url(/?b=condition2);
}
condition3{
background:url(/?b=condition3);
}


and then
<style>
@import "/?fetch-new-rules";
</style>

the fetch-new-rules stylesheet depend on if either which of condition 1, 2 or 3 were triggered.

You can then expand this approach by importing other stylesheets inside each imported rule, each one of them conditioned to the result of previous rules.

So, the general idea is.. you have N imports
1.- the first import will return you a histogram of the chars (eg. '0'x2,'5'x1,'6'x7, etc..)
2.- the second import will try to match and count the ocurrences of pairs of chars (eg. 00 01 05 06 56 66 etc..)
3.- the third import will try to match and count the ocurrences of each possible matched pair (eg. 0056 0066 6600 6656 6665 5600 5666 etc)
4.- the forth import will try to match and count the ocurrences of each possible matched pair of pairs. (eg. 0056 6666)
5.- the fifth import will know that the value is either one of several possible values, so it will send a try for exact matches (eg. the only possible one is 0056666666).

It's important to consider that the amount of imports needed and comparisons depend on the algorithm, and the string.

So, to answer your question:
> Can you please try to see how much time it takes on 5 or 6 digit base 16 keyspace.

It depends on the string (the base is irrelevant either base 2 or base 64 its the same), it can be either one style sheet matching single ocurrences (like 012345 that is best case scenario) or in the worst case scenario.. for 6 chars, it could be 3 very big includes (its pretty easy actually) or several smaller includes. (so, you have either 3 big stylesheets or 5 small stylesheets).

When it gets complicated is when the base exceeds the length of the string (base 16 with 32 chars for example), since then the algorithm is more complex when matching single occurrences.

Check the PoC's algorithms and the PPT..

Greetings!!

--------------------------------
irc://irc.irchighway.net/#slackers --> sla.ckers.org IRC channel
[sirdarckcat.blogspot.com] [www.sirdarckcat.net] [foro.elhacker.net] [twitter.com]



Edited 9 time(s). Last edit at 07/22/2009 10:36AM by sirdarckcat.

I find plenty of stuff on Google, including CSS CSRF.

btw, click jacking has been done months before RSnake:

[own-the.net]

I don't assume people raid other people's work (although I DO seen that quite a lot since this field is running short on P0C's I guess) But if you know how to use your search engine properly you will find most research, or approximations to it.

When i start on something I usually spend countless hours to look for data that is known, unknown because it not only saves me time, it also prevents that other people will (right or wrongfully) accuse you of something, and you can reference to it.