Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A on cross site request forgeries and breaking into sessions. It's one of the attacks that XSS enables and the attack of the future. For Session, fixations, hijacking, lockout, replay, session riding etc.... 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
CSRF via EOT/PRF in IE
Posted by: Anonymous User
Date: December 25, 2006 04:36AM

Hi!

Just stumbled upon this issue:

<html>
<head>
<title>csrf via eot</title>

<!-- via LINK tag -->
<link rel="fontdef" src="http://what.ever.you.want">

<!-- or via STYLE tag -->
<style type="text/css">
@font-face { font-family:Chianti XBd BT;
src:url(http://what.ever.you.want); }
</style>
</head>
<body>
csrf via eot
</body>
</html>

Using this proprietary code to embed fonts for IE you can create a CSRF vector because IE of course has to make a request to the given ressource - interesting should be the fact of filter evasion possible with this snippet. I tried to create an xss with that one but didn't manage it.

Greetings and happy new year,
.mario



Edited 1 time(s). Last edit at 12/25/2006 04:37AM by .mario.

Options: ReplyQuote
Re: CSRF via EOT/PRF in IE
Posted by: rsnake
Date: December 25, 2006 09:44AM

Yup, that's true with any CSS definition or embedded content in general.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: CSRF via EOT/PRF in IE
Posted by: kirke
Date: January 05, 2007 11:06AM

what has this to do with CSRF/session riding?

Not all browsers send cookies for link, img etc. tags. Do all IE behave the same way?
BTW, has someone a list about that browser behaviour?

Options: ReplyQuote
Re: CSRF via EOT/PRF in IE
Posted by: kuza55
Date: January 05, 2007 06:13PM

kirke Wrote:
-------------------------------------------------------
> Not all browsers send cookies for link, img etc.
> tags.


Really? Which ones don't? From my experience they all do, and rightly so in my opinion.

Options: ReplyQuote


Sorry, only registered users may post in this forum.