Google Blogoscoped

Forum

Google Cross-site Request Forgery  (View post)

Ionut Alex. Chitu [PersonRank 10]

Monday, September 25, 2006
17 years ago6,838 views

You know, this is extremely old (and odd).

http://www.squarefree.com/archives/000134.html

TOMHTML [PersonRank 10]

17 years ago #

And they do not correct that "hack" since these years ? :-S

Ludwik Trammer [PersonRank 10]

17 years ago #

Most of the big sites have the similar problem. For example you could make a page that automatically undig particular story on digg.com. Than just link this page from this story's digg comments page...

Colin Colehour [PersonRank 10]

17 years ago #

The irish example was already posted today in a slashdot comment earlier this morning.

http://it.slashdot.org/article.pl?sid=06/09/25/1440220&from=rss

Its the second comment on the page.

The comment:
I particularly like this example [dlitz.net].

Here's the spoiler [dlitz.net].

/pd [PersonRank 10]

17 years ago #

XSS hacks are here to stay, Vendors and Developers need to get their act together to negate risks. Right now, what we are seeing is just the whitehat stuff . Who is to know what is happening 'actually happening' – out there!!

FYI only.. the best XSS cheat sheet, right now is Rsnake's

http://ha.ckers.org/xss.html

peter [PersonRank 0]

17 years ago #

i thought it was common practice in web security to check the http_referer server variable. guess not at google.

Chris Riley [PersonRank 3]

17 years ago #

The trouble is the http_referer variable isn't always populated with the referrer, it can be blocked by some web browsers, anti-spyware software etc, so isn't as reliable as you'd first think in the fight against xss.

Tony Ruscoe [PersonRank 10]

17 years ago #

<< i thought it was common practice in web security to check the http_referer server variable. >>

Many security software packages block the http_referer header to protect the user's privacy, so that's not always the most user-friendly of ways to do things. Expecting a POST from the form would be better, although it would still be possible to script that too...

Chris Riley [PersonRank 3]

17 years ago #

Is it obvious that Tony and I work together! ;o)

Roger Browne [PersonRank 10]

17 years ago #

The http_referrer is not secure anyway, even if it was always present. But it's not hard to protect against this kind of request forgery.

For example, a form to change preferences can be served to include a hash of the user's cookie, and the change of preferences only actioned if the hash and the cookie match on the target page.

Philipp Lenssen [PersonRank 10]

17 years ago #

States should only be changed via POST. And POST should not be allowed via AJAX/ XMLHTTP by browsers. Wouldn't that be a solution?

I sometimes check the referrer and allow empty ones or ones from the same domain, at least for non-critical stuff, e.g. to avoid hotlinking on Gaxed.com (where hotlinking is a problem because the image URL changes when it moves to the cache). If someone hotlinks and publishes an image, it doesn't matter if 10% hide or distort the referrer, 90% of the visitors to his hotlinked image will complain to the hotlinker. Similarly you could prevent 90% of targets for an XSS worm etc., as a first step, right?

Tony Ruscoe [PersonRank 10]

17 years ago #

Good point Roger. It's very easy to spoof your HTTP_REFERER when running server-side scripts. It's not as easy to do this from cross-domain client-side scripts though (I think).

<< States should only be changed via POST. And POST should not be allowed via AJAX/ XMLHTTP by browsers. Wouldn't that be a solution? >>

Hmm. Kind of. You could still just use a form with a POST method and hidden fields, then use good old-fashioned JavaScript to do a form.submit() though.

I agree that checking HTTP_REFERER for the same domain or blank would probably be satisfactory for most purposes, 90% of the time at least.

Travis Harris [PersonRank 10]

17 years ago #

I just published the elmer fud version on my companies intranet. Waiting to see if anyone notices. As this is a tech company, Firefox search bar is much more utilized, but maybe.... just maybe someone will see.

Philipp Lenssen [PersonRank 10]

17 years ago #

Heh. Keep us updated on this Travis...

Kirby Witmer [PersonRank 10]

17 years ago #

LOL!!! That's great, travis.

Travis Harris [PersonRank 10]

17 years ago #

Just got noticed! took the better part of the day, but all of a sudden I hear someone shout "What the heck?!" (3-4 second pause) "Did Elmer Fudd do something special today or something?"

I just started laughing.... see, hacking can be a great source of innocent humor!

James [PersonRank 0]

17 years ago #

MAN that is funny. Now people are staring at me laughing at my desk. Travis. that is BRILLIANT!!!!!!

Juha-Matti Laurio [PersonRank 10]

17 years ago #

[Moved from "Google XSRF vulnerability entry mentioned by SANS ISC" – Tony]

SANS Internet Storm Center has mentioned Google Cross-site Request Forgery entry published last Monday at their Diary page at
http://isc.sans.org/diary.php?storyid=1750

as one of example of this new type vulnerability.
SANS ISC is widely known in security community and several journalists use it as their source.

Philipp Lenssen [PersonRank 10]

17 years ago #

I'm putting the prank on Digg :)
http://www.digg.com/security/Prank_Switch_Your_Colleagues_Google_to_Elmer_Fudd

Forum home

Advertisement

 
Blog  |  Forum     more >> Archive | Feed | Google's blogs | About
Advertisement

 

This site unofficially covers Google™ and more with some rights reserved. Join our forum!