tag:blogger.com,1999:blog-13756280.post5851342754755282361..comments2024-02-08T03:44:23.780-08:00Comments on Jeremiah Grossman: Using CSRF to Frame SomeoneJeremiah Grossmanhttp://www.blogger.com/profile/05017778127841311186noreply@blogger.comBlogger8125tag:blogger.com,1999:blog-13756280.post-29197856989535221232007-03-19T09:42:00.000-07:002007-03-19T09:42:00.000-07:00Dan Boneh here at the Security Workshop is giving ...Dan Boneh here at the Security Workshop is giving a talk on "Transaction Generators: Rootkits for the Web". I'm not sure if he's aware of the term CSRF, but I can ask.<BR/><BR/>His group has proposed SpyBlock as a possible countermeasure:<BR/><BR/><A HREF="http://crypto.stanford.edu/SpyBlock/" REL="nofollow">crypto.stanford.edu/SpyBlock</A><BR/><BR/>~LAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-18915234055539624622007-03-19T07:27:00.000-07:002007-03-19T07:27:00.000-07:00Just as a side note there are couple of ways to se...Just as a side note there are couple of ways to send someone to a page in a hidden way without referrers. <BR/><BR/>As you mentioned flash is a way to do it but definitely hardest way to do it. Simple javascript can handle it.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-78988071584051539252007-03-15T20:12:00.000-07:002007-03-15T20:12:00.000-07:00"Chris Shiflett (OmniTI) blogged a CSRF issue in A..."Chris Shiflett (OmniTI) blogged a CSRF issue in Amazon after a year of waiting in vien for a fix to go in"<BR/><BR/>C'mon, Jeremiah - this sounds like high school revisited. Isn't it amazing that someone could keep some gossip about someone else such a big secret for so long. Ohh, so patient.<BR/><BR/>The risk goes up, plain and simple.<BR/><BR/>PeteAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-50869884667780412922007-03-15T14:46:00.000-07:002007-03-15T14:46:00.000-07:00"Come on guys - I bet it's very very rare that pro..."Come on guys - I bet it's very very rare that prosecutors actually subpoena Google logs."<BR/><BR/>I don't know about Google, but when I worked at Yahoo, those type of subpoenas were being served in large quantities. Its more common one that might initially believe. And not just for criminal cases, but for civil as well.<BR/><BR/>"This brings up another point, though - a bunch of CSRF-loaded pages via img tags aren't likely going to show up in a browser's history or saved form fields (but maybe the local cache?)."<BR/><BR/>I haven't testing directly, but you could try hidden iframes or pop-under windows to get the desired effect.Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-58479938980463080252007-03-15T14:41:00.000-07:002007-03-15T14:41:00.000-07:00Come on guys - I bet it's very very rare that pros...Come on guys - I bet it's very very rare that prosecutors actually subpoena Google logs. They're just going to look through the person's history and other info that the browser stores on the hard drive and have someone testify to what was found: they don't need to connect the dots back to the web server.<BR/><BR/><BR/>This brings up another point, though - a bunch of CSRF-loaded pages via img tags aren't likely going to show up in a browser's history or saved form fields (but maybe the local cache?).Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-53515027126717839712007-03-15T14:22:00.000-07:002007-03-15T14:22:00.000-07:00"referer" has been spelled that way since the firs..."referer" has been spelled that way since the first HTTP RFCs specifying protocol and User Agent interaction. Hence the header spelling you see.<BR/><BR/>re: HTTP Header nonsense:<BR/><BR/>Again, making "security decisions" about trivially forgable, client-side controlled properties is a bad idea, no mater how you caveat it. Half the time these tail-wagging-the-dog measures wind up introducing their own security holes. :)<BR/><BR/>Cheers<BR/><BR/>-aeAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-45520990916472307492007-03-15T14:17:00.000-07:002007-03-15T14:17:00.000-07:00@drew, good point. Provided Google or whomever sto...@drew, good point. Provided Google or whomever stores that data and provides it upon subpoena. Then again, nothing a little Flash trickery can't take care of either.<BR/><BR/>Write-up by Amit Klein: "Forging HTTP request headers with Flash"<BR/>http://www.webappsec.org/lists/websecurity/archive/2006-07/msg00069.html<BR/><BR/>And if that doesn't work, there are some need referer scrubbing browser tricks that still work.Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-61694721250997941142007-03-15T14:13:00.000-07:002007-03-15T14:13:00.000-07:00A little HTTP Referer header in Google's logs migh...A little HTTP Referer header in Google's logs might give away that some trickery was afoot, and it might even reveal the framer.<BR/><BR/>On a random note, I just noticed that the Referer: in the HTTP header is actually a <A HREF="http://dictionary.reference.com/browse/referer" REL="nofollow">misspelling of the word referrer</A>.<BR/><BR/>--<A HREF="http://guh.nu" REL="nofollow">Drew</A>Drew Hintzhttps://www.blogger.com/profile/13737602776720884429noreply@blogger.com