About the Author

Chris Shiflett

Hi, I’m Chris: web craftsman, community leader, husband, father, and partner at Fictive Kin.


Using CSRF for Browser Hijacking

Something the Myspace worm taught us is that traditional safeguards against CSRF (cross-site request forgeries) are rendered ineffective when XSS (cross-site scripting) vulnerabilities exist in a web application. This is because malicious content injected into a web site can do a number of things, such as send HTTP requests and receive HTTP responses with Ajax, or even attack servers on your local network.

The result is that an attacker can perfectly mimic your actions using your own browser. It's something I've labeled browser hijacking, and it's one of the most dangerous examples of CSRF to date. It's also basically the same attack that I've been discussing in recent posts such as Cross-Domain Ajax Insecurity and The Dangers of Cross-Domain Ajax with Flash, except that XSS is an easy way around the same-domain restriction (without requiring an open crossdomain.xml policy).

Think XSS doesn't matter? Think again. As Johann from ThinkPHP puts it:

Buy one XSS, get a CSRF for free.

I've been speaking at conferences about CSRF for years, and one of the most alarming things I've noted during that time is that very few developers are aware of it, even conceptually. Jeremiah Grossman has noticed this, too, and he likens CSRF to a sleeping giant. RSnake calls it "the attack of the future." SANS is doing their part by trying to raise awareness.

Hopefully good guys will learn about it before too many bad guys do.

About this post

Using CSRF for Browser Hijacking was posted on Tue, 10 Oct 2006. If you liked it, follow me on Twitter or share:

8 comments

1.Andrew van der Stock said:

CSRF is mentioned in the first paragraph of the #1 item in the OWASP Top 10 2007.

Hopefully we will get more light shed on it soon!

Andrew

Wed, 11 Oct 2006 at 08:34:43 GMT Link


2.Ivan Markovic said:

Very interesting and dangerous security hole. Alredy I see new types of phising attacks with bypased messages on boards and forums.

Wed, 11 Oct 2006 at 09:25:32 GMT Link


3.mock said:

Well I think people in the perl community are starting to get it after I used it to demo taking over someone's CPAN account during my talk at YAPC::Europe. This is a rather amusing image if you know who wrote plagger.

Thu, 12 Oct 2006 at 06:59:42 GMT Link


4.Chris Shiflett said:

Mock, that's good to hear. :-)

Let me know if I can help in any way, or if you'd like to share ideas for slides or anything like that.

Thu, 12 Oct 2006 at 15:16:44 GMT Link


5.mock said:

Cool. I'm working on something nasty with crossdomain.xml right now, so I might be dropping you an email assuming I can get the basics to work.

Thu, 12 Oct 2006 at 21:13:28 GMT Link


6.gilberto melendez said:

Excuse me, I have been " reading " and I dont know if solutions like modsecurity at www.modsecurity.org can help to deal whit this attack.

Tue, 17 Oct 2006 at 05:28:21 GMT Link


7.doctorrock said:

Well, I think even with modsecurity activated, you can't do anything against XSS attacks using XHR, as XHR works from the user web navigator like if it was a normal request.

XSS are very powerfull attacks, because they act exactly as users used to, and are that way diffcult to detect.

Fri, 20 Oct 2006 at 20:33:15 GMT Link


8.Dev-G said:

Hi,

I am confused about one thing, we are passing the token as a hidden field and storing it in the Session. What will happen in case the hacker/attacker can see this hidden field using the view source.

Now, lets say a valid session for the user A is running on the website and user B(hacker) finds out the token value, by sniffing the network or lets just say get to know all the form params (It is my assumption, I don't know how it is possible to do it, may be view source).

Then the CSRF protection will fail right away, is that correct?

Shouldn't we do some thing else regarding the token like pass it in someway else other than the hidden field in the form?

Mon, 09 Mar 2009 at 23:07:46 GMT Link


Hello! What’s your name?

Want to comment? Please connect with Twitter to join the discussion.