lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Mon, 08 Jan 2007 19:49:04 -1000
From: Jim Manico <jim@...ico.net>
To: bugtraq@...urityfocus.com
Subject: Circumventing CSFR Form Token Defense

CONJECTURE: An attacker could write a hybrid "html inspection, CSRF attack" mimicking an exact important form (like the funds transfer form for an exact bank) **even if the form in question uses form tokens**.

Here are the components of this theoretical attack:

1) The attacker manually reads the HTML of the the form they are trying to mimic for the purpose of trying to discover the *form element name* of the hidden variable that contains the form token.

2) The attacker creates a 2-phase javascript program, similar to a HTTP Trace attack that does the following:
  a) The javascript makes a simple HTTP/S request to the form it is trying to mimic and inspects the returned HTML for the purpose of pulling out a valid form key since the form key NAME is known from (1). 
  b) Use that form key value pair ripped from (a) as part of the actual CSRF attack.

It would be a little complex to code, but would completely circumvent a form token defense if coding to attack an exact form of an exact bank.

Defense against this theoretical attack is to make the form element name for the form token itself hard to guess. 
For example, do not use a hidden variable named "formtoken" : <some hard-2-guess #> use something like: 
<hardtoguesselementname> : <hardtoguessvalue>

I'll try to come up with sample attack code and do additional research if anyone considers this theory to be plausible.

-- 
Best Regards,
Jim Manico
GIAC GSEC Professional, Sun Certified Java Programmer
jim@...ico.net
808.652.3805

Powered by blists - more mailing lists