CSRF And Ignoring Basic/Digest Auth
One of the single most annoying things about CSRF and router hacking etc… is that you get the annoying popups on Basic and Digest authentication pages, asking you to log in. More and more devices are moving away from these popup style alerts and moving more towards form based authentication, which is better from a hacking perspective. But still, I would say the vast majority of firewall/switch/router devices out there use Basic or Digest based authentication. The problem with that from an attacker’s perspective is that it creates a noisy popup if it fails (if the user isn’t authenticated) that the user is bound to notice and question. Well, now we have an answer - at least in Internet Explorer:
<DIV STYLE="background-image: url(http://router/path.to.hack)">blah</DIV>
I know there are others tags that work, but probably not as well as this method from what I’ve seen so far. I haven’t found a reliable way in other browsers to allow this to happen, but I’ve only barely scratched the surface of the vast number of CSRFable tags out there. But anyway, yes, this doesn’t cause the Basic or Digest auth dialog to fire so it will be more stealthy upon performing a CSRF that fails. Of course for POST based CSRF you’re still out of luck…
July 1st, 2009 at 7:50 am
<img src=”https://username:password@u.r.gate.way/known/path/img.gif”>
the tag above will auth a session w/o a popup on basic-auth in ff last time i checked…
http://rwnin.blogspot.com/2009/06/from-blackhat-reject-bin.html
July 1st, 2009 at 7:59 am
Yes, but what about when it fails? That is the real question.
July 2nd, 2009 at 7:44 am
if you have the wrong creds, the img shows as broken (red-x) and there’s no secondary prompt for creds (iirc, it’s been a while
July 2nd, 2009 at 8:17 am
uhh… not in IE or Firefox… what browser are you using?
Firefox alerts on failure, and IE doesn’t work at all because it doesn’t use that syntax anymore. Maybe another browser does…?
July 3rd, 2009 at 3:11 am
Talking about CSRF and router hacking, did you notice include finally ABE with a built-in LocalRodeo-like rule?
July 3rd, 2009 at 3:12 am
Broken post above. Should have been
July 6th, 2009 at 2:58 pm
@Giorgio - I finally got a chance to look at it, and it looks really powerful. Not yet to the point of being brain dead, and I’m not sure it yet takes the place of things like Request Policy, but I can see where you’re going with it. I’ll email you a wishlist momentarily.
July 9th, 2009 at 7:27 am
A Post CSRF attack can also be accomplished very easily. If you would like to see an example of how to commit one I recently wrote an article demonstrating how to commit a CSRF post attack so that developers know how to defend against it. It can be found at blog.runxc.com/post/2009/07/06/CSRF-by-Example-How-to-do-it-How-to-defend-it.aspx
July 9th, 2009 at 8:33 am
@runxc1 - a bit off topic, as this is about how to accomplish one under very specific circumstances, and no, POST wouldn’t work in that example. But it’s good that you’re thinking about the problem.