CSRF is Wicked
By Daniel Miessler on February 14th, 2008: Tagged as Uncategorized
I’ve been studying web security again recently and decided to do a POC of CSRF (Sea Surf) (Cross Site Request Forgery).
The link below is a page on my website that logs you out of dslreports.com (my favorite security forum) without you doing anything but viewing the page. It works by my having an image on the page that points to the logout URL, which your browser automatically loads upon visiting the page.
The problem? If you’ve been to DSLR recently it sends your cookie along with the request to logout. So YOU did it, not me. What else can someone make you do using your own credentials?
So here’s the link. Don’t click it unless you don’t mind me logging you out of DSLR.
--
Pardon my ignorance of the subtleties, but am I understanding correctly that this is a cookie-based vulnerability? That is, if one removes all cookies when exiting a browser session (or even more frequently), is one at least somewhat protected from this sort of attack?
Comment by Carl M — 2/14/2008 @ 5:41 pm
Lets take your auction example. What if the site employed a captcha image or required some additional information to complete the request?
Comment by Ken — 2/15/2008 @ 2:43 am
@Carl
Yes, if your cookies weren’t there then you wouldn’t have that problem. But then you’d lose a whole lot of functionality. Another good suggestion is to use one browser profile for sensitive things and another for non-sensitive.
Of course, the best solution is to have web applications that are coded securely.
Comment by Daniel Miessler — 2/17/2008 @ 10:27 pm