Cenzic 232 Patent
Paid Advertising
web application security lab

A story that diggs itself

Digger just sent me a link to a story that diggs itself (Warning: turn off JavaScript or log out of Digg.com before you click on this or you will digg the article.)  This is actually a pretty good tutorial on how cross site request forgeries (CSRF) work, if you aren’t familiar with it.  What Digger showed is that his site can redirect back to a form that performs a site function.  Since you are logged in it performs the function as you since your browser goes to that function.

This is actually a pretty little known attack for some reason.  I’m still not quite sure why it hasn’t taken off with more virulance.  Generally the attack does fairly benign stuff like automatically logs you out of a website or something else equally lame.  But it really can perform nasty functions (like getting an admin to turn you into an admin, etc…).

Digger also showed something that surprisingly is a very common misunderstood way of fixing a CSRF attack, which is they require the form to be a POST method rather than a GET method.  That’s super easy to defeat.  The only time you can’t defeat it is when you can’t actually enter HTML, but rather all you can do is get a user to click on a link.  Another way this is easily defeated is if the user is using ISAPI or other tools that don’t care if the method is GET or POST (it’s actually abstracted from the web developer).  Alas…

Anyway, I’m out for a few days so this’ll be my last post until the weekend is over.  No parties while I’m gone - not unless you save some for me.  Have a good weekend!

3 Responses to “A story that diggs itself”

  1. Luny Says:

    Have a good weekend too RSnake.

  2. Roshen Says:

    Thomas Schreiber wrote an excellent piece on Session Riding/CSRF attacks in 2004. http://www.securenet.de/papers/Session_Riding.pdf

    As he explains in that, the solution that *does* work is using a secret in the URL, so it’s impossible for the adversary to guess the URL.

    He has a sub-section on why it really doesn’t matter whether the app insists on Get or Post.

  3. ha.ckers.org security lab - Archive » Digg is Vulnerable to XSS Says:

    […] Today I got an email from Digger - aka Clear Rivers who sent me a link to his blog.  If you remember he is the one who found the CSRF vulnerability in digg.  This, in my mind, is actually more dangerous, because it could be used for phishing, and easily falsifying diggs by doing some AJAXy stuff via the JavaScript itself.  The only minor saving grace is that it’s not really HTML injection, but rather parameter injection inside of an input tag, which makes it slightly harder to exploit on a large scale being that it does require some onmouseover stuff. […]