[Dillo-dev] an experiment regarding cross site request forgery
Justus Winter
4winter at informatik.uni-hamburg.de
Wed Oct 1 13:32:25 CEST 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
> On Tue, Sep 30, 2008 at 12:56:05PM +0000, corvid wrote:
>> Cross site request forgery is the one where the bad person sticks
>> an image tag or some javascript or whatever on a page,
>> and your privileges are used to do something.
Johannes Hofmann wrote:
> To me the cross site request forgery issue looks more like an issue of
> the cookie system.
No. CSRF is caused by browsers sending authentication credentials
implicitly with every request to an host. Those credentials might be
cookies, http AUTH headers, ssl client certificates or even your IP
address in some (stupid) intranet solutions.
Joerg Sonnenberger wrote:
> There's nothing wrong with that. Such an image URL is a simple GET
> request. Any web application doing a modification is broken by design
> and there are good reasons for allowing such URLs. The problem is
> allowing POST actions to a different site than the one issuing it.
This is true, GET requests shouldn't be state changing. But there are
ways to create POST requests automatically (most ''active content'' can
do this) or by tricking the user into clicking on the submit button by
styling them via css (this is called "clickjacking" nowadays... yay for
more buzzwords) and using some social engineering ("click the monkey to
win big $$$).
Disallowing cross domain POST requests seems very restrictive but would
solve the problem.
Johannes Hofmann wrote:
> Perhaps we should be more careful when to send out a cookie.
> What about not sending cookies with image requests, if the host of
> the image url is different from the one in the main page?
> What do other browser do about this?
Yes, I think this is the way to go. One need to decide when to send out
authentication credentials (legitimate session) and when to strip them
(CSRF attempt). Martin Johns and I developed a firefox extension [0]
that does exactly this. Please see [1] pages 29 - 37 or [2] for more
information. [1] is also a pretty good introduction to CSRF. Please note
that the browser independent proxy solution is deprecated (but should
work unless the twisted framework changed its api too much) and the
firefox extension is somewhat unmaintained at the moment...
Justus
0: http://www.nongnu.org/requestrodeo/
1:
http://www.informatik.uni-hamburg.de/SVS/personnel/martin/psj06johns-e.pdf
2:
http://www.informatik.uni-hamburg.de/SVS/papers/2006_owasp_RequestRodeo.pdf
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFI41/IoPmwNWhsaZYRAhXNAJ0WbzFz51LEObLbF8/oEPkUuZtT4ACfbCNG
KDOXrmHCAOyhR15a+p5tgR0=
=Kokv
-----END PGP SIGNATURE-----
More information about the Dillo-dev
mailing list