Re: CSRF attack in Firefox

["Jamie Riden" <jamie.riden () gmail com>]

On 18/03/2008, Vishal Garg <vishal () firstbase co uk> wrote:
> Hi List,
>
>  I have tested the following attack in Firefox and it has worked
>  successfully, while I would not have expected this to work because of
>  the same origin policy in Firefox. The Firefox version I am using is 2.0.0.12.
>
>  
> http://www.victim.com/webapp/wcs/servlet/ImagePopup?storeId=111&imageName=image1.jpg&imageText=%3Cimg%20src=http://www.attacker.com/images/image2.jpg%3E
>
>  Can someone please explain why this attack works in Firefox.

Same origin doesn't apply to <img> tags - you can load images from
anywhere on  the net. But, it looks like you are exploiting a XSS to
get your image loaded into a page, rather than a CSRF to GET/POST to a
victim server.

The typical CSRF request would be produce a GET/POST to e.g.
http://victim.com/deletemyprofile.php , but triggered by viewing a
page on http://attacker.com/ - so you don't really have a CSRF attack
here, but does look like XSS. (I think - please feel free to disagree)

cheers,
 Jamie
-- 
Jamie Riden / jamesr () europe com / jamie () honeynet org uk
UK Honeynet Project: http://www.ukhoneynet.org/

-------------------------------------------------------------------------
Sponsored by: Watchfire 
Methodologies & Tools for Web Application Security Assessment 
With the rapid rise in the number and types of security threats, web application security assessments should be 
considered a crucial phase in the development of any web application. What methodology should be followed? What tools 
can accelerate the assessment process? Download this Whitepaper today! 

https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
-------------------------------------------------------------------------