The Web Application Hacker’s Handbook Discovering and Exploiting Security Flaws

Recall that the browser’s same origin policy does not prohibit one web site

from issuing requests to a different domain. It does, however, prevent the orig-

inating web site from processing the responses to cross-domain requests.

Hence, unlike its on-site counterpart, XSRF attacks are “one-way” only. It

would not be possible to perform the multistage actions of the Samy worm in

a pure XSRF attack.

One well-known example of an XSRF flaw was found in the eBay applica-

tion by Dave Armstrong in 2004. It was possible to craft a URL that caused the

requesting user to make an arbitrary bid on an auction item. A third-party web

site could cause visitors to request this URL, so that any eBay user who visited

the web site would place a bid. Further, with a little work, it was possible to

exploit the vulnerability in a stored OSRF attack within the eBay application

itself. The application allowed users to place 

tags within auction

descriptions. To defend against attacks, the application validated that the tar-

get of the tag returned an actual image file. However, it was possible to place

a link to an off-site server that returned a legitimate image at the time the auc-

tion item was created, and subsequently replace this image with an HTTP redi-

rect back to the crafted XSRF URL. Thus, anyone who viewed the auction item

would unwittingly place a bid on it. More details can be found in the original

Bugtraq post:

http://archive.cert.uni-stuttgart.de/bugtraq/2005/04/msg00279.html

Download 5,76 Mb.

Do'stlaringiz bilan baham: