|
Title: I was wondering if CSRF attacks works through images... Post by: Chick on June 30, 2011, 01:49:17 AM Since your browser goes the page itself to fetch the image for you to see I'm just curious if this would work.
http://www.google.com/accounts/Logout Oh, thats cool, it really does log me out of Google. LOL, take a look at the url yourself. Title: Re: I was wondering if CSRF attacks works through images... Post by: qed on June 30, 2011, 01:54:42 AM This is the dumbest thing I have ever seen. Images are not being opened as a page /facepalm.
Quit the spam. Title: Re: I was wondering if CSRF attacks works through images... Post by: Chick on June 30, 2011, 01:55:20 AM This is the dumbest thing I have ever seen. Images are not being opened as a page /facepalm. Quit the spam. Yes, but your browser sends a http request to the url. Title: Re: I was wondering if CSRF attacks works through images... Post by: qed on June 30, 2011, 02:00:45 AM This is the dumbest thing I have ever seen. Images are not being opened as a page /facepalm. Quit the spam. Yes, but your browser sends a http request to the url. But, but... Not working + spam thread => Big fail. Title: Re: I was wondering if CSRF attacks works through images... Post by: bluefirecorp on June 30, 2011, 02:05:11 AM What the hell, it DOES work.
Logged me outta my google account, I use windows 7 ult with google chrome 0.0 Title: Re: I was wondering if CSRF attacks works through images... Post by: BCEmporium on June 30, 2011, 02:19:01 AM Yes it DOES work, it's a matter of the REQUEST not the RETURN.
If you're logged in to www.xpto.com and get into the xpto.com's attacker site www.scammerzR.us a fake image from scammerzR.us can make you perform some request at xpto.com. Let's say, www.xpto.com's creator is lousy coder, to withdraw btc all you've to do is call withdraw.php?amount=10&addr=bitcoinAddress... An image at scammerzR.us pointing at <img src="http://www.xpto.com/withdraw.php?amount=all&addr=scammerzRusAddress" /> would make you transfer all from your account to his. CSRF is however a veryyyyyyyy long shot attack, the attacker has to have a reason to believe you may be logged in to the target site to input that sort of code. Normally this works better against sites like Facebook where even if currently you're not there you may have an auth cookie. Title: Re: I was wondering if CSRF attacks works through images... Post by: qed on June 30, 2011, 02:25:57 AM Yes it DOES work, it's a matter of the REQUEST not the RETURN. If you're logged in to www.xpto.com and get into the xpto.com's attacker site www.scammerzR.us a fake image from scammerzR.us can make you perform some request at xpto.com. Let's say, www.xpto.com's creator is lousy coder, to withdraw btc all you've to do is call withdraw.php?amount=10&addr=bitcoinAddress... An image at scammerzR.us pointing at <img src="http://www.xpto.com/withdraw.php?amount=all&addr=scammerzRusAddress" /> would make you transfer all from your account to his. CSRF is however a veryyyyyyyy long shot attack, the attacker has to have a reason to believe you may be logged in to the target site to input that sort of code. Normally this works better against sites like Facebook where even if currently you're not there you may have an auth cookie. Not working for me on google. If it does work for www.xpto.com it plain means it is an awful site. Title: Re: I was wondering if CSRF attacks works through images... Post by: Klestin on June 30, 2011, 03:19:00 AM It will only work on sites which take an action on a GET, since images are always a GET and not a POST. So, rule number 1 of site design is to never do anything destructive on a GET. In general, logging out is about the worst you can do to someone on a reputable site.
Title: Re: I was wondering if CSRF attacks works through images... Post by: cmh on June 30, 2011, 03:39:24 AM If it doesn't work for you, see if you are really logged into a "google accounts" account. It won't log you out of a regular gmail account.
Title: Re: I was wondering if CSRF attacks works through images... Post by: cmh on June 30, 2011, 03:41:55 AM Here, this one will log you out of a regular gmail account.
I decided to remove it so everybody doesn't get mad at me. Title: Re: I was wondering if CSRF attacks works through images... Post by: DamienBlack on June 30, 2011, 05:47:10 AM That is crazy. So when all the sites had CSRF vulnerabilities, we could have all been hijacked with imbedded images that we never see. Just browsing the forum was dangerous. I guess most CSRF exploits read a cookie for session information, but still...
Title: Re: I was wondering if CSRF attacks works through images... Post by: fascistmuffin on June 30, 2011, 06:14:56 AM Here, this one will log you out of a regular gmail account. I decided to remove it so everybody doesn't get mad at me. Time to start to troll other forums with that as the sig image. ;D But in all seriousness, I'm surprised Google falls for this. I always imagined they were mostly on top of web design best practices and security. Title: Re: I was wondering if CSRF attacks works through images... Post by: BCEmporium on June 30, 2011, 12:37:17 PM Here, this one will log you out of a regular gmail account. I decided to remove it so everybody doesn't get mad at me. Time to start to troll other forums with that as the sig image. ;D But in all seriousness, I'm surprised Google falls for this. I always imagined they were mostly on top of web design best practices and security. Some functions are harmless, like log you out. To the worse what would happen is you to have to login again. You can prevent that with a token, eg: ?logout&hl=en&token=23nikhu so his image wouldn't do nothing missing the token (that should be something random) |