Bugtraq mailing list archives
Circumventing CSFR Form Token Defense
From: Jim Manico <jim () manico net>
Date: Mon, 08 Jan 2007 19:49:04 -1000
CONJECTURE: An attacker could write a hybrid "html inspection, CSRF attack" mimicking an exact important form (like the funds transfer form for an exact bank) **even if the form in question uses form tokens**. Here are the components of this theoretical attack: 1) The attacker manually reads the HTML of the the form they are trying to mimic for the purpose of trying to discover the *form element name* of the hidden variable that contains the form token. 2) The attacker creates a 2-phase javascript program, similar to a HTTP Trace attack that does the following: a) The javascript makes a simple HTTP/S request to the form it is trying to mimic and inspects the returned HTML for the purpose of pulling out a valid form key since the form key NAME is known from (1). b) Use that form key value pair ripped from (a) as part of the actual CSRF attack. It would be a little complex to code, but would completely circumvent a form token defense if coding to attack an exact form of an exact bank. Defense against this theoretical attack is to make the form element name for the form token itself hard to guess. For example, do not use a hidden variable named "formtoken" : <some hard-2-guess #> use something like: <hardtoguesselementname> : <hardtoguessvalue> I'll try to come up with sample attack code and do additional research if anyone considers this theory to be plausible. -- Best Regards, Jim Manico GIAC GSEC Professional, Sun Certified Java Programmer jim () manico net 808.652.3805
Current thread:
- Circumventing CSFR Form Token Defense Jim Manico (Jan 09)
- Re: Circumventing CSFR Form Token Defense Florian Weimer (Jan 10)
- Re: Circumventing CSFR Form Token Defense Peter Watkins (Jan 10)
- <Possible follow-ups>
- Re: Circumventing CSFR Form Token Defense bugtraq (Jan 10)
- RE: Circumventing CSFR Form Token Defense James C. Slora Jr. (Jan 11)