<<< Date Index >>>     <<< Thread Index >>>

Circumventing CSFR Form Token Defense



CONJECTURE: An attacker could write a hybrid "html inspection, CSRF attack" 
mimicking an exact important form (like the funds transfer form for an exact 
bank) **even if the form in question uses form tokens**.

Here are the components of this theoretical attack:

1) The attacker manually reads the HTML of the the form they are trying to 
mimic for the purpose of trying to discover the *form element name* of the 
hidden variable that contains the form token.

2) The attacker creates a 2-phase javascript program, similar to a HTTP Trace 
attack that does the following:
  a) The javascript makes a simple HTTP/S request to the form it is trying to 
mimic and inspects the returned HTML for the purpose of pulling out a valid 
form key since the form key NAME is known from (1). 
  b) Use that form key value pair ripped from (a) as part of the actual CSRF 
attack.

It would be a little complex to code, but would completely circumvent a form 
token defense if coding to attack an exact form of an exact bank.

Defense against this theoretical attack is to make the form element name for 
the form token itself hard to guess. 
For example, do not use a hidden variable named "formtoken" : <some 
hard-2-guess #> use something like: 
<hardtoguesselementname> : <hardtoguessvalue>

I'll try to come up with sample attack code and do additional research if 
anyone considers this theory to be plausible.

-- 
Best Regards,
Jim Manico
GIAC GSEC Professional, Sun Certified Java Programmer
jim@xxxxxxxxxx
808.652.3805