CSRF and Header Forging - your thoughts needed

[lcamtuf at coredump.cx (Michal Zalewski)]

> I'm looking for thoughts on CSRF attacks that result in forged headers from
> the victim user to the target site. Are there modern attacks that work here?
> If not, could we implement a CSRF protection that uses a custom header and
> avoid the cost of computing random numbers?

The only thing that undermines this approach is that there's a fairly
steady stream of plugin implementation bugs that make header injection
easy (XMLHttpRequest implementation bugs seem to be dying off). They
usually (not always!) require you to be SOP with the attacked domain,
so theoretically no problem - but if you can also tweak "Host", it
becomes a problem on systems with multiple virtual servers on a single
IP, one of them controlled by a rogue party or just vulnerable to XSS.

In any case... I am willing to say that this is a reasonably robust
XSRF defense in most cases, but you have to keep this extra likelihood
of breakage in mind.

/mz