A Simple Demonstration of CSRF risk
Noted Web Security expert Jeremiah Grossman has published an interesting article that is a welcome reminder as to how easy it is to sniff out whether a user is logged into a website, from another one (i.e. Cross Site Request Forging).
Using the method Jeremiah describes, a request is made for a resource that is only served to a logged in user. The nature of the response dictates whether or not the user is logged in (either the browser provides the requested resource or it returns an error).
Jeremiah suggests that possible options for site developers preventing this sort of attack is to remove authentication requirements from resources that aren't necessarily sensitive (so that they are returned even for a non-authenticated user) or to tokenise the resource descriptors so that arbitrary guessing of the resource will not be a viable method for finding it. Browser developers could prevent cross site information leakage in some way, but no suggestion is put forward (plus it would break a lot of existing Internet functionality that relies upon sites being able to request and display information from other sites in the context of the original site such as online advertising).
While most attacks that try to exploit a user for being logged into a site are carried out blind (without actually checking the logged in status), the simplicity with which it may be checked makes the risk of targeted attacks, and also those that are harder to detect, much more likely.
15 March 2008
Social bookmark this page at eKstreme.
Alternatively, Bookmark or Share via AddThis
Do you like how we cover Information Security news? How about checking out our company services, delivered the same way our news is.
Let our Free OS X Screen Saver deliver the latest security alerts and commentary to your desktop when you're not at your system.
Comments will soon be available for registered users.