About the Author

Chris Shiflett is an author and speaker who leads the web application security practice at OmniTI.

Using CSRF for Browser Hijacking

Wed, 11 Oct 2006 at 03:56:45 GMT
7 Comments
References

Something the Myspace worm taught us is that traditional safeguards against CSRF (cross-site request forgeries) are rendered ineffective when XSS (cross-site scripting) vulnerabilities exist in a web application. This is because malicious content injected into a web site can do a number of things, such as send HTTP requests and receive HTTP responses with Ajax, or even attack servers on your local network.

The result is that an attacker can perfectly mimic your actions using your own browser. It's something I've labeled browser hijacking, and it's one of the most dangerous examples of CSRF to date. It's also basically the same attack that I've been discussing in recent posts such as Cross-Domain Ajax Insecurity and The Dangers of Cross-Domain Ajax with Flash, except that XSS is an easy way around the same-domain restriction (without requiring an open crossdomain.xml policy).

Think XSS doesn't matter? Think again. As Johann from ThinkPHP puts it:

Buy one XSS, get a CSRF for free.

I've been speaking at conferences about CSRF for years, and one of the most alarming things I've noted during that time is that very few developers are aware of it, even conceptually. Jeremiah Grossman has noticed this, too, and he likens CSRF to a sleeping giant. RSnake calls it "the attack of the future." SANS is doing their part by trying to raise awareness.

Hopefully good guys will learn about it before too many bad guys do.

About This Post

Using CSRF for Browser Hijacking was posted on Wed, 11 Oct 2006 at 03:56:45 GMT.

7 Comments

1. Andrew van der Stock said:

CSRF is mentioned in the first paragraph of the #1 item in the OWASP Top 10 2007.

Hopefully we will get more light shed on it soon!

Andrew
Wed, 11 Oct 2006 at 08:34:43 GMT Link

2. Ivan Markovic said:

Very interesting and dangerous security hole. Alredy I see new types of phising attacks with bypased messages on boards and forums.
Wed, 11 Oct 2006 at 09:25:32 GMT Link

3. mock said:

Well I think people in the perl community are starting to get it after I used it to demo taking over someone's CPAN account during my talk at YAPC::Europe. This is a rather amusing image if you know who wrote plagger.

Thu, 12 Oct 2006 at 06:59:42 GMT Link

4. Chris Shiflett said:

Mock, that's good to hear. :-)

Let me know if I can help in any way, or if you'd like to share ideas for slides or anything like that.
Thu, 12 Oct 2006 at 15:16:44 GMT Link

5. mock said:

Cool. I'm working on something nasty with crossdomain.xml right now, so I might be dropping you an email assuming I can get the basics to work.
Thu, 12 Oct 2006 at 21:13:28 GMT Link

6. gilberto melendez said:

Excuse me, I have been " reading " and I dont know if solutions like modsecurity at www.modsecurity.org can help to deal whit this attack.

Tue, 17 Oct 2006 at 05:28:21 GMT Link

7. doctorrock said:

Well, I think even with modsecurity activated, you can't do anything against XSS attacks using XHR, as XHR works from the user web navigator like if it was a normal request.

XSS are very powerfull attacks, because they act exactly as users used to, and are that way diffcult to detect.
Fri, 20 Oct 2006 at 20:33:15 GMT Link

Amir wrote:: Hi chris! Please check this and guide me: http://forums.devnetwork.net/viewtopic.php?f=34&t=8...; Posted in
Nathan Bentley wrote:: Hi Chris, A great tutorial, which should help a lot of people! We implemented something simil...; Posted in
Daniel S wrote:: Just recently I sold my 1.gen Macbook(core duo version). And to be honest, I don't miss it for on...; Posted in Top X List of Mac OS X Annoyances
Buke Beyond wrote:: I agree it is ridiculous that php is doing this. I am using php for generating commands for othe...; Posted in PHP Stripping Newlines
Davis Ford wrote:: I agree, although I have a list of many more annoyances. However, rather than complain about the...; Posted in Top X List of Mac OS X Annoyances