Re: [Full-disclosure] [WEB SECURITY] Persistent CSRF and The Hotlink Hell

To: Ryan Barnett <rcbarnett@xxxxxxxxx>
Subject: Re: [Full-disclosure] [WEB SECURITY] Persistent CSRF and The Hotlink Hell
From: Blue Boar <BlueBoar@xxxxxxxxxxx>
Date: Mon, 16 Apr 2007 18:09:46 -0700
Cc: "pdp (architect)" <pdp.gnucitizen@xxxxxxxxxxxxxx>, full-disclosure@xxxxxxxxxxxxxxxxx, bugtraq@xxxxxxxxxxxxxxxxx, WASC Forum <websecurity@xxxxxxxxxxxxx>, "webappsec @OWASP" <webappsec@xxxxxxxxxxxxxxx>
In-reply-to: <cba0286a0704161449l3c4c96bfs1bd515ce30a9fe6a@xxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <6905b1570704160809t60b17fecra607f4cf79cfab14@xxxxxxxxxxxxxx> <cba0286a0704161449l3c4c96bfs1bd515ce30a9fe6a@xxxxxxxxxxxxxx>
User-agent: Thunderbird 1.5.0.10 (Macintosh/20070221)

He compromised the server(s) at the ad network we were using at the
time, and simply served up his ad instead of the usual ones.

                                        BB

Ryan Barnett wrote:
> I believe that the SecurityFocus "defacement" by FluffiBunni a few
> years back would be an example of the defacement attack that Michael
> listed in his article.  The concept was that SF had a trust
> relationship with the company that was rotating their banners and FB
> replaced the expected image with the defaced one.  I don't remember
> the exact details on how the banner images were fed in (vs.
> Hotlinking, etc...)
> 
> Does anyone have specific info from that defacement?
> 
> Isn't this somewhat related to the same trust issues with RSS feed attacks?
> 
> 
> On 4/16/07, pdp (architect) <pdp.gnucitizen@xxxxxxxxxxxxxx> wrote:
>> http://www.gnucitizen.org/blog/persistent-csrf-and-the-hotlink-hell/
>> http://michaeldaw.org/papers/hotlink_persistent_csrf/
>>
>> I would like to bring your attention to a topic that has been rarely
>> discussed. I am going to talk about hotlinks, redirections and of
>> course CSRF (Cross-site Request Forgery).
>>
>> When we talk about CSRF we often assume that there is one kind only.
>> After all, what else is in there when CSRF is all about making GET or
>> POST requests on behalf of the victim? The victim needs to visit a
>> page which launches the CSRF exploit. If the victim happens to have an
>> established session with the exploited application, the attacker can
>> perform the desired action like resetting the login credentials, for
>> example.
>>
>> However, CSRF can be as persistent as persistent XSS (Cross-site
>> Scripting) is and you don't need XSS to support it. Persistent CSRF is
>> not dependent on persistent XSS.
>>
>> I hope that you find the post useful.
>>
>> --
>> pdp (architect) | petko d. petkov
>> http://www.gnucitizen.org
>>
>> ----------------------------------------------------------------------------
>> Join us on IRC: irc.freenode.net #webappsec
>>
>> Have a question? Search The Web Security Mailing List Archives:
>> http://www.webappsec.org/lists/websecurity/
>>
>> Subscribe via RSS:
>> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>>
>>
> 
>

References:
- Re: [WEB SECURITY] Persistent CSRF and The Hotlink Hell
  - From: Ryan Barnett

Prev by Date: my little forum 1.7 Remote File Include Vulnerabilitiy
Next by Date: RE: Windows DNS Cache Poisoning by Forwarder DNS Spoofing
Previous by thread: Re: [WEB SECURITY] Persistent CSRF and The Hotlink Hell
Next by thread: webMethods Security Advisory: Glue console directory traversal vu lnerability
Index(es):
- Date
- Thread