Bitcoin Forum
November 21, 2017, 10:29:00 AM *
News: Latest stable version of Bitcoin Core: 0.15.1  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: [1]
  Print  
Author Topic: I was wondering if CSRF attacks works through images...  (Read 1259 times)
Chick
Member
**
Offline Offline

Activity: 70


View Profile
June 30, 2011, 01:49:17 AM
 #1

Since your browser goes the page itself to fetch the image for you to see I'm just curious if this would work.



Oh, thats cool, it really does log me out of Google. LOL, take a look at the url yourself.

1511260140
Hero Member
*
Offline Offline

Posts: 1511260140

View Profile Personal Message (Offline)

Ignore
1511260140
Reply with quote  #2

1511260140
Report to moderator
1511260140
Hero Member
*
Offline Offline

Posts: 1511260140

View Profile Personal Message (Offline)

Ignore
1511260140
Reply with quote  #2

1511260140
Report to moderator
1511260140
Hero Member
*
Offline Offline

Posts: 1511260140

View Profile Personal Message (Offline)

Ignore
1511260140
Reply with quote  #2

1511260140
Report to moderator
Join ICO Now A blockchain platform for effective freelancing
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1511260140
Hero Member
*
Offline Offline

Posts: 1511260140

View Profile Personal Message (Offline)

Ignore
1511260140
Reply with quote  #2

1511260140
Report to moderator
qed
Full Member
***
Offline Offline

Activity: 196


View Profile
June 30, 2011, 01:54:42 AM
 #2

This is the dumbest thing I have ever seen. Images are not being opened as a page /facepalm.

Quit the spam.

Mobile App (Android)

Monitor miners, exchange rates and Bitcoin network stats.
Chick
Member
**
Offline Offline

Activity: 70


View Profile
June 30, 2011, 01:55:20 AM
 #3

This is the dumbest thing I have ever seen. Images are not being opened as a page /facepalm.

Quit the spam.

Yes, but your browser sends a http request to the url.

qed
Full Member
***
Offline Offline

Activity: 196


View Profile
June 30, 2011, 02:00:45 AM
 #4

This is the dumbest thing I have ever seen. Images are not being opened as a page /facepalm.

Quit the spam.

Yes, but your browser sends a http request to the url.

But, but...

Not working + spam thread => Big fail.

Mobile App (Android)

Monitor miners, exchange rates and Bitcoin network stats.
bluefirecorp
Legendary
*
Offline Offline

Activity: 882


View Profile
June 30, 2011, 02:05:11 AM
 #5

What the hell, it DOES work.

Logged me outta my google account, I use windows 7 ult with google chrome
0.0

BCEmporium
Legendary
*
Offline Offline

Activity: 1120



View Profile
June 30, 2011, 02:19:01 AM
 #6

Yes it DOES work, it's a matter of the REQUEST not the RETURN.

If you're logged in to www.xpto.com

and get into the xpto.com's attacker site www.scammerzR.us a fake image from scammerzR.us can make you perform some request at xpto.com.
Let's say, www.xpto.com's creator is lousy coder, to withdraw btc all you've to do is call withdraw.php?amount=10&addr=bitcoinAddress...
An image at scammerzR.us pointing at <img src="http://www.xpto.com/withdraw.php?amount=all&addr=scammerzRusAddress" /> would make you transfer all from your account to his.

CSRF is however a veryyyyyyyy long shot attack, the attacker has to have a reason to believe you may be logged in to the target site to input that sort of code. Normally this works better against sites like Facebook where even if currently you're not there you may have an auth cookie.

██████████████████            ██████████
████████████████              ██████████
██████████████          ▄█   ███████████
████████████         ▄████   ███████████
██████████        ▄███████  ████████████
████████        ▄█████████  ████████████
██████        ▄███████████  ████████████
████       ▄██████████████ █████████████
██      ▄███████████████████████████████
▀        ███████████████████████████████
▄          █████████████████████████████
██▄         ▀███████████████████████████
████▄        ▀██████████████████████████
██████▄        ▀████████████████████████
████████▄        ████████████████▀ █████
██████████▄       ▀█████████████  ██████
████████████▄       ██████████   ███████
██████████████▄      ▀██████    ████████
████████████████▄▄     ███     █████████
███████████████████▄    ▀     ██████████
█████████████████████▄       ███████████
███████████████████████▄   ▄████████████





▄█████████████████   ███             ███   ███   ███▄                ▄███            █████            ████████████████   ████████████████▄             █████
███▀                 ███             ███   ███   ████▄              ▄████           ███████           ███                ███           ▀███           ███████
███                  ███             ███   ███   █████▄            ▄█████          ███▀ ▀███          ███                ███            ███          ███▀ ▀███
███                  ███             ███   ███   ███ ███▄        ▄███ ███        ▄███▀   ▀███▄        ███                ███           ▄███        ▄███▀   ▀███▄
███                  ███████████████████   ███   ███  ▀██▄      ▄██▀  ███       ▄███▀     ▀███▄       ████████████████   ████████████████▀        ▄███▀     ▀███▄
███                  ███             ███   ███   ███   ▀███    ███▀   ███      ▄███▀       ▀███▄      ███                ███        ███          ▄███▀       ▀███▄
███                  ███             ███   ███   ███    ▀███  ███▀    ███     ▄███▀         ▀███▄     ███                ███         ███        ▄███▀         ▀███▄
███▄                 ███             ███   ███   ███      ██████      ███    ▄███             ███▄    ███                ███          ███      ▄███             ███▄
▀█████████████████   ███             ███   ███   ███       ████       ███   ▄███               ███▄   ████████████████   ███           ███    ▄███               ███▄

|
  TRUE BLOCKCHAIN GAMING PLATFORM 
DECENTRALISED AUTONOMOUS UNIVERSES

  HOME PAGE                                                                  WHITE PAPER 
|
qed
Full Member
***
Offline Offline

Activity: 196


View Profile
June 30, 2011, 02:25:57 AM
 #7

Yes it DOES work, it's a matter of the REQUEST not the RETURN.

If you're logged in to www.xpto.com

and get into the xpto.com's attacker site www.scammerzR.us a fake image from scammerzR.us can make you perform some request at xpto.com.
Let's say, www.xpto.com's creator is lousy coder, to withdraw btc all you've to do is call withdraw.php?amount=10&addr=bitcoinAddress...
An image at scammerzR.us pointing at <img src="http://www.xpto.com/withdraw.php?amount=all&addr=scammerzRusAddress" /> would make you transfer all from your account to his.

CSRF is however a veryyyyyyyy long shot attack, the attacker has to have a reason to believe you may be logged in to the target site to input that sort of code. Normally this works better against sites like Facebook where even if currently you're not there you may have an auth cookie.

Not working for me on google. If it does work for www.xpto.com it plain means it is an awful site.

Mobile App (Android)

Monitor miners, exchange rates and Bitcoin network stats.
Klestin
Hero Member
*****
Offline Offline

Activity: 494


View Profile
June 30, 2011, 03:19:00 AM
 #8

It will only work on sites which take an action on a GET, since images are always a GET and not a POST.  So, rule number 1 of site design is to never do anything destructive on a GET.  In general, logging out is about the worst you can do to someone on a reputable site.
cmh
Newbie
*
Offline Offline

Activity: 21


View Profile
June 30, 2011, 03:39:24 AM
 #9

If it doesn't work for you, see if you are really logged into a "google accounts" account. It won't log you out of a regular gmail account.
cmh
Newbie
*
Offline Offline

Activity: 21


View Profile
June 30, 2011, 03:41:55 AM
 #10

Here, this one will log you out of a regular gmail account. <img src="https://mail.google.com/mail/?logout&hl=en" />
I decided to remove it so everybody doesn't get mad at me.
DamienBlack
Jr. Member
*
Offline Offline

Activity: 56


View Profile
June 30, 2011, 05:47:10 AM
 #11

That is crazy. So when all the sites had CSRF vulnerabilities, we could have all been hijacked with imbedded images that we never see. Just browsing the forum was dangerous. I guess most CSRF exploits read a cookie for session information, but still...

I trade bitcoin options at https://bitoption.org/ ... Join me.
I play poker at https://betco.in/ ... Join me.
Support the bitcoin economy, what do you do?
Tips: 1NfXhiTFEdKQTdLy49s6DYAP1K7MeFWyao
fascistmuffin
Jr. Member
*
Offline Offline

Activity: 56



View Profile
June 30, 2011, 06:14:56 AM
 #12

Here, this one will log you out of a regular gmail account. <img src="https://mail.google.com/mail/?logout&hl=en" />
I decided to remove it so everybody doesn't get mad at me.

Time to start to troll other forums with that as the sig image.  Grin

But in all seriousness, I'm surprised Google falls for this. I always imagined they were mostly on top of web design best practices and security.
BCEmporium
Legendary
*
Offline Offline

Activity: 1120



View Profile
June 30, 2011, 12:37:17 PM
 #13

Here, this one will log you out of a regular gmail account. <img src="https://mail.google.com/mail/?logout&hl=en" />
I decided to remove it so everybody doesn't get mad at me.

Time to start to troll other forums with that as the sig image.  Grin

But in all seriousness, I'm surprised Google falls for this. I always imagined they were mostly on top of web design best practices and security.

Some functions are harmless, like log you out. To the worse what would happen is you to have to login again.
You can prevent that with a token, eg: ?logout&hl=en&token=23nikhu so his image wouldn't do nothing missing the token (that should be something random)

██████████████████            ██████████
████████████████              ██████████
██████████████          ▄█   ███████████
████████████         ▄████   ███████████
██████████        ▄███████  ████████████
████████        ▄█████████  ████████████
██████        ▄███████████  ████████████
████       ▄██████████████ █████████████
██      ▄███████████████████████████████
▀        ███████████████████████████████
▄          █████████████████████████████
██▄         ▀███████████████████████████
████▄        ▀██████████████████████████
██████▄        ▀████████████████████████
████████▄        ████████████████▀ █████
██████████▄       ▀█████████████  ██████
████████████▄       ██████████   ███████
██████████████▄      ▀██████    ████████
████████████████▄▄     ███     █████████
███████████████████▄    ▀     ██████████
█████████████████████▄       ███████████
███████████████████████▄   ▄████████████





▄█████████████████   ███             ███   ███   ███▄                ▄███            █████            ████████████████   ████████████████▄             █████
███▀                 ███             ███   ███   ████▄              ▄████           ███████           ███                ███           ▀███           ███████
███                  ███             ███   ███   █████▄            ▄█████          ███▀ ▀███          ███                ███            ███          ███▀ ▀███
███                  ███             ███   ███   ███ ███▄        ▄███ ███        ▄███▀   ▀███▄        ███                ███           ▄███        ▄███▀   ▀███▄
███                  ███████████████████   ███   ███  ▀██▄      ▄██▀  ███       ▄███▀     ▀███▄       ████████████████   ████████████████▀        ▄███▀     ▀███▄
███                  ███             ███   ███   ███   ▀███    ███▀   ███      ▄███▀       ▀███▄      ███                ███        ███          ▄███▀       ▀███▄
███                  ███             ███   ███   ███    ▀███  ███▀    ███     ▄███▀         ▀███▄     ███                ███         ███        ▄███▀         ▀███▄
███▄                 ███             ███   ███   ███      ██████      ███    ▄███             ███▄    ███                ███          ███      ▄███             ███▄
▀█████████████████   ███             ███   ███   ███       ████       ███   ▄███               ███▄   ████████████████   ███           ███    ▄███               ███▄

|
  TRUE BLOCKCHAIN GAMING PLATFORM 
DECENTRALISED AUTONOMOUS UNIVERSES

  HOME PAGE                                                                  WHITE PAPER 
|
Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!