Re: Circumventing CSFR Form Token Defense

To: Jim Manico <jim@xxxxxxxxxx>
Subject: Re: Circumventing CSFR Form Token Defense
From: Florian Weimer <fw@xxxxxxxxxxxxx>
Date: Wed, 10 Jan 2007 08:38:44 +0100
Cc: bugtraq@xxxxxxxxxxxxxxxxx
In-reply-to: <45A32CD0.3020204@xxxxxxxxxx> (Jim Manico's message of "Mon, 08 Jan 2007 19:49:04 -1000")
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <45A32CD0.3020204@xxxxxxxxxx>

* Jim Manico:

> CONJECTURE: An attacker could write a hybrid "html inspection, CSRF
> attack" mimicking an exact important form (like the funds transfer
> form for an exact bank) **even if the form in question uses form
> tokens**.

I'm not sure what you mean by "form tokens", but correctly generated
tokens are unique to the user's session.

>   a) The javascript makes a simple HTTP/S request to the form it is
>   trying to mimic and inspects the returned HTML for the purpose of
>   pulling out a valid form key since the form key NAME is known from
>   (1).

To work, this requires a cross-site scripting vulnerability in the web
application (or lack of enforcement of the same-origin policy by the
browser).  (The rule of thumb is: XSS for read access, CSRF for write
access.)

References:
- Circumventing CSFR Form Token Defense
  - From: Jim Manico

Prev by Date: Re: a cheesy Apache / IIS DoS vuln (+a question)
Next by Date: Re: SAP Security Contact
Previous by thread: Circumventing CSFR Form Token Defense
Next by thread: Re: Circumventing CSFR Form Token Defense
Index(es):
- Date
- Thread