Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A on cross site request forgeries and breaking into sessions. It's one of the attacks that XSS enables and the attack of the future. For Session, fixations, hijacking, lockout, replay, session riding etc.... 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
XSS + CSRF
Posted by: woody
Date: April 10, 2007 05:40PM

Two friends of mine, Billy Rios and Raghav Dube, presented a great way to combine xss and csrf to break the same domain policy at blackhat europe last week.

In their presentation they show how to attack other external websites using the victims machine and how to attack internal sites that would otherwise be protected by a firewall using a combination of xss and csrf.

https://www.blackhat.com/presentations/bh-eu-07/Dube-Rios/Whitepaper/bh-eu-07-rios-WP.pdf

Options: ReplyQuote
Re: XSS + CSRF
Posted by: christ1an
Date: April 10, 2007 06:42PM

Thanks woody.

Is there anything entirely new in that paper? Otherwise I'd rather not read such a long discussion.

Options: ReplyQuote
Re: XSS + CSRF
Posted by: kuza55
Date: April 10, 2007 07:07PM

christ1an Wrote:
-------------------------------------------------------
> Thanks woody.
>
> Is there anything entirely new in that paper?
> Otherwise I'd rather not read such a long
> discussion.

I only skimmed the paper, but as far as I could tell there was really nothing new there. It was essentially a presentation about how (given an XSS vulnerability in an application) you could force the user to perform any actions for that domain.



Edited 1 time(s). Last edit at 04/10/2007 07:07PM by kuza55.

Options: ReplyQuote
Re: XSS + CSRF
Posted by: christ1an
Date: April 10, 2007 07:40PM

Hmm and what does that have to do with breaking the same-orign policy?

Options: ReplyQuote
Re: XSS + CSRF
Posted by: woody
Date: April 10, 2007 08:49PM

The paper outlines how using an xss vulnerabilty in one domain you can force a user to attack another website with an xss vulnerability. Essentially breaking the same origin policy. See chapter 4.4 and 4.5 in the paper.

True the concepts of XSS and CSRF aren't new but combining them in this fashion to instantly get results from your CSRF makes this a much more lethal attack.



Edited 1 time(s). Last edit at 04/10/2007 08:51PM by woody.

Options: ReplyQuote
Re: XSS + CSRF
Date: April 10, 2007 09:15PM

yeah, I'm confuzzled too about how this is new O.O

Options: ReplyQuote
Re: XSS + CSRF
Posted by: christ1an
Date: April 10, 2007 09:38PM

Well, lets face it. There's nothing new at all but the paper is definitely worth reading for people who aren't aware of XSS / CSRF though. I guess Billy Rios and Raghav Dube spend quite a lot of time on providing us with these information and I personally appreciate that.

Options: ReplyQuote
Re: XSS + CSRF
Posted by: rsnake
Date: April 15, 2007 01:43AM

Yah, I would argue that absolutely nothing there is new (in fact we've been talking about that attack for 5-6 years now), but it's good that someone bothered to write it out in a nice format.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: XSS + CSRF
Posted by: BK
Date: April 22, 2007 04:01PM

Agreed, there is nothing new with regards to using XSS + CSRF together in an attack, especially with those who read this list... however, the paper does cover a few things that are interesting:

1 - Using CSRF to brute force logins against Web applications (pg 26), which forces the user to establish an active session with the target web server.

2 - The use of seperate dynamic payloads to control access to seperate domains. (execute.js and external.js)

3 - Lastly... all the nice... pretty pictures.


BK



Edited 2 time(s). Last edit at 04/22/2007 07:46PM by BK.

Options: ReplyQuote
Re: XSS + CSRF
Posted by: rsnake
Date: May 08, 2007 07:48PM

Gotta love those pretty pictures. ;) Enumerating sites using CSRF isn't really new though. I've seen it done several times (like the iframe + CSS port scanner based off my JavaScript-less CSS history hack). The dynamic payloads is more of an implementation detail of technology we've been talking about for a while now. So, yeah, they do have some nice pictures though! ;)

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote


Sorry, only registered users may post in this forum.