CSRF is Wicked

By Daniel Miessler on February 14th, 2008: Tagged as Uncategorized

I’ve been studying web security again recently and decided to do a POC of CSRF (Sea Surf) (Cross Site Request Forgery).

The link below is a page on my website that logs you out of dslreports.com (my favorite security forum) without you doing anything but viewing the page. It works by my having an image on the page that points to the logout URL, which your browser automatically loads upon visiting the page.

The problem? If you’ve been to DSLR recently it sends your cookie along with the request to logout. So YOU did it, not me. What else can someone make you do using your own credentials?

So here’s the link. Don’t click it unless you don’t mind me logging you out of DSLR.

[ CSRF POC: CSRF is Wicked ]

Related Content

Carl M

Pardon my ignorance of the subtleties, but am I understanding correctly that this is a cookie-based vulnerability? That is, if one removes all cookies when exiting a browser session (or even more frequently), is one at least somewhat protected from this sort of attack?
Carl M

Pardon my ignorance of the subtleties, but am I understanding correctly that this is a cookie-based vulnerability? That is, if one removes all cookies when exiting a browser session (or even more frequently), is one at least somewhat protected from this sort of attack?
http://kenswain.com/ Ken

Lets take your auction example. What if the site employed a captcha image or required some additional information to complete the request?
http://kenswain.com Ken

Lets take your auction example. What if the site employed a captcha image or required some additional information to complete the request?
http://dmiessler.com/ Daniel Miessler

@Carl

Yes, if your cookies weren’t there then you wouldn’t have that problem. But then you’d lose a whole lot of functionality. Another good suggestion is to use one browser profile for sensitive things and another for non-sensitive.

Of course, the best solution is to have web applications that are coded securely.
http://dmiessler.com Daniel Miessler

@Carl

Yes, if your cookies weren’t there then you wouldn’t have that problem. But then you’d lose a whole lot of functionality. Another good suggestion is to use one browser profile for sensitive things and another for non-sensitive.

Of course, the best solution is to have web applications that are coded securely.

Top

Information Security / Technology

Politics

Philosophy & Religion

Technology & Science

Culture & Society

Miscellaneous

A Coffee Primer

Arguments

Projects

Collections

Twitter

Motivational Speaking in a World Without Free Will | http://t.co/fqAcoQdu #philosophy
SSD back in MBP. Happy again. RPMs only belong in cars.
Reminder: If you don't know SQL Injection it's because you don't know SQL. Once you understand the technology the security is obvious.
@simonsarris Can't tell if you're agreeing with me or not.
Is Trojan really a good name for a condom company? The original was let in trustingly, released its dangerous payload, and chaos ensued.