tag:blogger.com,1999:blog-13756280.post6136371815262789852..comments2024-02-08T03:44:23.780-08:00Comments on Jeremiah Grossman: Spoofing Google search history with CSRFJeremiah Grossmanhttp://www.blogger.com/profile/05017778127841311186noreply@blogger.comBlogger17125tag:blogger.com,1999:blog-13756280.post-82245513285271578862010-12-22T21:09:18.630-08:002010-12-22T21:09:18.630-08:00Hello Jeremiah,
Nice article, thank you. It seems ...Hello Jeremiah,<br />Nice article, thank you. It seems Firefox NoScript addon has protection against this type of attacks, because this search trick is not working despite having Blogspot and related sites as trusted. Check http://noscript.net/abe/ Only disadvantage of NoScript is that you have to learn how to live with it.Alexandrahttps://www.blogger.com/profile/07388070088895359419noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-73368037581131912272010-12-14T22:25:17.397-08:002010-12-14T22:25:17.397-08:00This comment has been removed by the author.Unknownhttps://www.blogger.com/profile/13818057956040786243noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-50597298463472235342010-12-14T08:59:34.946-08:002010-12-14T08:59:34.946-08:00@Anne: While I didn't go into depth in the pos...@Anne: While I didn't go into depth in the post, there are very effective things a website owner can do to protect their websites. See here for more details: http://www.whitehatsec.com/home/resource/whitepapers/csrf_cross_site_request_forgery.html<br /><br />On the user side its a bit trickier, but it comes down to NOT being logged-in.Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-58751374054367759862010-12-14T08:36:12.791-08:002010-12-14T08:36:12.791-08:00I like and dislike this article. It's good fro...I like and dislike this article. It's good from the standpoint it educated me on a real problem. But as a typical web user and webmaster, I don't like it. I get the sense there is not much I can do to prevent or detect it other than keeping my CMS fully patched. And I'm not sure how many people would install add-ons that may interfere with the browsing experience.Anne Hhttp://www.timeatlas.comnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-61701330996550493282010-12-13T14:55:07.081-08:002010-12-13T14:55:07.081-08:00@dan: yep, that would make sense!@dan: yep, that would make sense!Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-2028723587714495882010-12-13T14:17:29.346-08:002010-12-13T14:17:29.346-08:00google's reader, so it's probably not too ...google's reader, so it's probably not too surprising they share session data with googleDan Weberhttps://www.blogger.com/profile/06626675217693199470noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-62748215456676665692010-12-13T13:23:54.253-08:002010-12-13T13:23:54.253-08:00@Dan: whoa, that's troubling. What RSS reader ...@Dan: whoa, that's troubling. What RSS reader browser combo are you using? Clearly they are sharing session cookies and HTTP connection libs.Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-79193746515147276252010-12-13T12:02:36.143-08:002010-12-13T12:02:36.143-08:00I went to check my google history before loading t...I went to check my google history before loading this blog post, and the search for justin bieber was <b>already</b> there, just from the reader. Dang.<br /><br />I've had some fun with websites that used GET for actions and allowed posting of images.Dan Weberhttps://www.blogger.com/profile/06626675217693199470noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-31188717705210577142010-12-12T08:51:26.874-08:002010-12-12T08:51:26.874-08:00@thetestmanager: just to make that scenario you de...@thetestmanager: just to make that scenario you describe more real:<br /><br />http://ha.ckers.org/blog/20080320/click-a-link-go-to-jail/Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-85538215510029313502010-12-12T08:50:42.166-08:002010-12-12T08:50:42.166-08:00@paranoid: referers can be scrubbed by using META ...@paranoid: referers can be scrubbed by using META refresh tags or hosting the CSRF code on a SSL website.Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-62973902482659280942010-12-11T17:24:09.998-08:002010-12-11T17:24:09.998-08:00Would be cool if search engines improved search hi...Would be cool if search engines improved search history to also show the referrer.paranoidnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-41916461389254728342010-12-11T05:35:43.438-08:002010-12-11T05:35:43.438-08:00nice read and cool demonstration, especially for u...nice read and cool demonstration, especially for unaware web developers. except that voting for julian assange as times person of the year is actually a quite good thing to do. it's just like with web (in)security issues: the truth must be spread.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-32070182958721755082010-12-11T03:22:39.857-08:002010-12-11T03:22:39.857-08:00Interesting angle on the Google Search history hac...Interesting angle on the Google Search history hack is I'm sure many law enforcement agencies when confiscating PC's when investigating certain crimes. <br /><br />Hacking, Paedophilia, Online Fraud; in fact any crime which can be perpetrated via electronic means, will look at search histories to build their case against a potential defendant. <br /><br />Attack 1 - send victim a link to your site he visits and gets his history set to many undesirable things. combine that with an Iframed Ifeellucky search see (http://www.thetestmanager.com/?s=i+feel+lucky&search=Search) <br /> Then contact local law enforcement to tell them that someone has been doing something illegal with their pc and that if they looked at his search logs they could get proof. <br />Delete the code from your page. <br /><br />Police visit confiscate PC and check logs. Find bad search terms. and bingo prosecution starts. Chances are case would get dropped however it would cause considerable pain the the victim involved.thetestmanagerhttp://www.thetestmanager.comnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-35876110969365392982010-12-10T20:00:24.332-08:002010-12-10T20:00:24.332-08:00I wrote about this topic here: http://jbyte-securi...I wrote about this topic here: http://jbyte-security.blogspot.com/2009/05/importancia-de-la-etiqueta-en-la.htmlJbytehttp://jbyte-security.blogspot.comnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-60658080500334737782010-12-10T18:32:47.113-08:002010-12-10T18:32:47.113-08:00Nice read! Thanks for sharing your concerns.
CSRF...Nice read! Thanks for sharing your concerns.<br /><br />CSRF is even more of an issue nowdays, than it was few years back, with the rise of social networking sites and AJAX technology.<br /><br />I bet most of us browse the web while we're logged-in in our mail, social networking and other accounts, putting our personal data at risk one click at a time.<br /><br />I guess there are some request filtering plugins out there, but most of us would find annoying the authorization of each request our browser makes in our day-to-day browsing. In addition to this, the average internet user doesn't have the knowledge to tell a legit request from a spoofed one.<br /><br /><br />Cheers!Dimitris Karagasidishttp://www,gatoni.grnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-15472359371065071362010-12-10T18:00:48.909-08:002010-12-10T18:00:48.909-08:00@Michael: thank you. obviously we'll need solu...@Michael: thank you. obviously we'll need solutions so that the website can protect itself, but we'll also need something for the user to protect themselves. That latter being a much tougher problem to solve. <br /><br />The one thing we can do is separate the authenticated and un-authenticated functionality of a website. With some clever browser security innovation, I believe we can handle the auth, but not the other without really breaking the Web. RequestPolicy, while still presently unworkable, does teach us things though.Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-68481900946707712362010-12-10T17:43:49.793-08:002010-12-10T17:43:49.793-08:00Nice POC to drive home the point. This is certain...Nice POC to drive home the point. This is certainly a frustrating issue addressed on a site by site basis. In the meantime, you can take control into your hands with an addon like request policy. (https://www.requestpolicy.com/)<br /><br />But, it isn't easy and only for those really intent on taking control. Clearly, this is not the right approach across the board for all users.Michael Coateshttps://www.blogger.com/profile/01776444965999374544noreply@blogger.com