Circumventing CSFR Form Token Defense
CONJECTURE: An attacker could write a hybrid "html inspection, CSRF attack"
mimicking an exact important form (like the funds transfer form for an exact
bank) **even if the form in question uses form tokens**.
Here are the components of this theoretical attack:
1) The attacker manually reads the HTML of the the form they are trying to
mimic for the purpose of trying to discover the *form element name* of the
hidden variable that contains the form token.
2) The attacker creates a 2-phase javascript program, similar to a HTTP Trace
attack that does the following:
a) The javascript makes a simple HTTP/S request to the form it is trying to
mimic and inspects the returned HTML for the purpose of pulling out a valid
form key since the form key NAME is known from (1).
b) Use that form key value pair ripped from (a) as part of the actual CSRF
attack.
It would be a little complex to code, but would completely circumvent a form
token defense if coding to attack an exact form of an exact bank.
Defense against this theoretical attack is to make the form element name for
the form token itself hard to guess.
For example, do not use a hidden variable named "formtoken" : <some
hard-2-guess #> use something like:
<hardtoguesselementname> : <hardtoguessvalue>
I'll try to come up with sample attack code and do additional research if
anyone considers this theory to be plausible.
--
Best Regards,
Jim Manico
GIAC GSEC Professional, Sun Certified Java Programmer
jim@xxxxxxxxxx
808.652.3805