Update Oct 15, 2008 We've modified the paper to reflect the fact that the New York Times has fixed this problem. We also clarified that our server-side protection techniques do not protect against active network attackers.
Update Oct 1, 2008 The New York Times has fixed this problem. All of the problems mentioned below have now been fixed.
Today Ed Felten and I (Bill Zeller) are announcing four previously unpublished Cross-Site Request Forgery (CSRF) vulnerabilities. We've described these attacks in detail in a technical report titled Cross-Site Request Forgeries: Exploitation and Prevention.
We found four major vulnerabilities on four different sites. These vulnerabilities include what we believe is the first CSRF vulnerability that allows the transfer of funds from a financial institution. We contacted all the sites involved and gave them ample time to correct these issues. Three of these sites have fixed the vulnerabilities listed below, one has not.
CSRF vulnerabilities occur when a website allows an authenticated user to perform a sensitive action but does not verify that the user herself is invoking that action. The key to understanding CSRF attacks is to recognize that websites typically don't verify that a request came from an authorized user. Instead they verify only that the request came from the browser of an authorized user. Because browsers run code sent by multiple sites, there is a danger that one site will (unbeknownst to the user) send a request to a second site, and the second site will mistakenly think that the user authorized the request.
If a user visits an attacker's website, the attacker can force the user's browser to send a request to a page that performs a sensitive action on behalf of the user. The target website sees a request coming from an authenticated user and happily performs some action, whether it was invoked by the user or not. CSRF attacks have been confused with Cross-Site Scripting (XSS) attacks, but they are very different. A site completely protected from XSS is still vulnerable to CSRF attacks if no protections are taken. For more background on CSRF, see Shiflett, Grossman, Wikipedia, or OWASP.
We describe the four vulnerabilities below:
1. ING Direct (ingdirect.com)
Status: Fixed
We found a vulnerability on ING's website that allowed additional accounts to be created on behalf of an arbitrary user. We were also able to transfer funds out of users' bank accounts. We believe this is the first CSRF vulnerability to allow the transfer of funds from a financial institution. Specific details are described in our paper.
2. YouTube (youtube.com)
Status: Fixed
We discovered CSRF vulnerabilities in nearly every action a user could perform on YouTube. An attacker could have added videos to a user's "Favorites," added himself to a user's "Friend" or "Family" list, sent arbitrary messages on the user's behalf, flagged videos as inappropriate, automatically shared a video with a user's contacts, subscribed a user to a "channel" (a set of videos published by one person or group) and added videos to a user's "QuickList" (a list of videos a user intends to watch at a later point). Specific details are described in our paper.
3. MetaFilter (metafilter.com)
Status: Fixed
A vulnerability existed on Metafilter that allowed an attacker to take control of a user's account. A forged request could be used to set a user's email address to the attacker's address. A second forged request could then be used to activate the "Forgot Password" action, which would send the user's password to the attacker's email address. Specific details are described in our paper.
(MetaFilter fixed this vulnerability in less than two days. We appreciate the fact that MetaFilter contacted us to let us know the problem had been fixed.)
4. The New York Times (nytimes.com)
Status: Not Fixed. We contacted the New York Times in September, 2007. As of September 24, 2008, this vulnerability still exists. This problem has been fixed.
A vulnerability in the New York Time's website allows an attacker to find out the email address of an arbitrary user. This takes advantage of the NYTimes's "Email This" feature, which allows a user to send an email about a story to an arbitrary user. This emails contains the logged-in user's email address. An attacker can forge a request to active the "Email This" feature while setting his email address as the recipient. When a user visit's the attacker's page, an email will be sent to the attacker's email address containing the user's email address. This attack can be used for identification (e.g., finding the email addresses of all users who visit an attacker's site) or for spam. This attack is particularly dangerous because of the large number of users who have NYTimes' accounts and because the NYTimes keeps users logged in for over a year.
Also, TimesPeople, a social networking site launched by the New York Times on September 23, 2008, is also vulnerable to CSRF attacks.
We hope the New York Times will decide to fix these vulnerabilities now that they have been made public. The New York Times appears to have fixed the problems detailed above.
Mitigation
Our paper provides recommendations for preventing these attacks. We provide a server-side plugin for the PHP MVC framework Code Igniter that can completely prevent CSRF. We also provide a client-side Firefox extension that can protect users from certain types of CSRF attacks (non-GET request attacks).
The Takeaway
We've found CSRF vulnerabilities in sites that have a huge incentive to do security correctly. If you're in charge of a website and haven't specifically protected against CSRF, chances are you're vulnerable.
The academic literature on CSRF attacks has been rapidly expanding over the last two years and we encourage you to see our bibliography for references to other work. On the industry side, I'd like to especially thank Chris Shiflett and Jeremiah Grossman for tirelessly working to educate developers about CSRF attacks.
| Attachment | Size |
|---|---|
| csrf.pdf | 167.89 KB |
Front page posts
OWASP has made two tools available to help with CSRF problems. The first is CSRFTester which will allow you to test your website for CSRF problems. The tool allows you to create multi-step test cases and has been used to transfer funds, create accounts, issue checks, etc...
The second tool is called CSRFGuard, and it's a Java EE filter that can be placed in front of an entire application to provide CSRF protection. CSRFGuard uses javascript to insert tokens into forms and links, and then validates the token in every request.
You can find both free tools at http://www.owasp.org.
It would be helpful if you linked to the plugin on the CodeIgniter forums. I haven't seen something like this posted, although EL said a while ago that they're working on some sort of CSRF protection.
I think quite a few people in the community are not aware of the risks or don't know how to best go about mitigating them. The way I see it, education is a real problem when it comes to webappsec. Since you provide an explanation as well as a solid solution, not even a lazy person can refuse to take a look.
If I am not mistaken, your CI plugin will not prevent a form from being processed if the user's browser doesn't accept cookies or the CSRF token cookie has expired. Shouldn't the plugin reject all form submissions when there's any token mismatch, including the missing cookie case?
Hey George,
That cookie exception was the result of a tradeoff between security and usability in non-cookie contexts. I agree with you that the plugin should reject all invalid requests, so I've changed it to reflect that. Developers concerned about this can disable (or not install) the plugin.
How about this, I've been wondering why it's not automagically created as a Firefox option:
Manually:
Create a folder for "logoff" bookmarks
Save a copy of every "logout" link/button that you find to that folder, for example:
http://www.nytimes.com/logout
https://www.typekey.com/t/typekey?__mode=user_logout
http://login.yahoo.com/config/login?logout=1&.src=&.intl=us&.partner=&.d...
http://www.livejournal.com/logout.bml?user=yournamehere
Whenever you feel the hair on the back of your neck start to stand up as you realize how exposed you might be, choose "Open All in Tabs" from the bottom of the folder contents.
At least to some degree. If you go (on FF3 on windows) Tool>Clear Private Data (ctrl-shift-del) and select cookies and authenticated sessions (or if you're feeling more paranoid more cache et all) it will take out almost all your logged in sites.
not the same. the sessions will still exist on the servers. so if someone has your cookies, theyre still you.
[...] Zeller and Ed Felten have published a report on Cross-Site Request Forgery attacks on popular Web sites: We found four major vulnerabilities on four different sites. These vulnerabilities include what [...]
[...] Popular Websites Vulnerable to Cross-Site Request Forgery Attacks | Freedom to Tinker [...]
[...] Ed Felton and Bill Zeller have found this vulnerability in some very popular sites. Here is the quick status to get right down to what interests you. [...]
[...] Zeller and Ed Felten have published a report on Cross-Site Request Forgery attacks on popular Web sites: We found four major vulnerabilities on four different sites. These vulnerabilities include what [...]
[...] Popular Websites Vulnerable to Cross-Site Request Forgery Attacks | Freedom to Tinker - You would be amazed how little developers know about CSRF attacks and more precisely, how to protect against them. [...]
[...] Popular Websites Vulnerable to Cross-Site Request Forgery Attacks | Freedom to Tinker (tags: security browser hack web Internet webdesign) b94 [...]
[...] researchers released a research paper yesterday which documents Cross-Site Request Forgery vulnerabilities in 4 well known commercial websites (ING Direct, NY Times, Youtube, and Metafilter). It makes for interesting [...]
[...] Zeller and Ed Felten have published a report on Cross-Site Request Forgery attacks on popular Web sites: We found four major vulnerabilities on four different sites. These vulnerabilities include what [...]
Google released a cool proxy that you can surf your site through and then report potential issues.
http://code.google.com/p/ratproxy
-Ben
[...] Popular Websites Vulnerable to Cross-Site Request Forgery Attacks [...]
[...] sind jedoch auch zahlreiche weitere größere Webseiten betroffen, wie auf freedom-to-tinker.com zu lesen ist. Diesen Post [...]
[...] 0. http://www.darkreading.com/document.asp?doc_id=164854&WT.svl=news1_1 1. http://www.freedom-to-tinker.com/blog/wzeller/popular-websites-vulnerabl...... 2. http://www.freedom-to-tinker.com/sites/default/files/csrf.pdf Popularity: unranked [?] Listen [...]
[...] Ed Felten and Bill Zeller recently released a very well-written paper about Cross-Site Request Forge..., including some real-world vulnerability examples from ING Direct, YouTube, MetaFilter, and The New York Times. As you all know so well, CSRF vulnerabilities are easy find when you just decide to look on basically any website. Don’t expect any ground breaking research per-say, but the papers content is really helpful to those unfamiliar with CSRF (and that’s still a lot people - especially developers). Ed and Bill also did some work on a potential client-side solution, like LocalRodeo I think, which I hope to find time to investigate further. We need as many smart people as we can trying to solve this problem in creative ways. CSRF certainly isn’t going to go away anytime soon. WhiteHat Security is a leading provider of web application security services. WhiteHat Sentinel, the companys flagship service, provides continuous web applications vulnerability assessment and management. [...]
[...] Read more here. [...]
[...] Ed Felten and Bill Zeller recently released a very well-written paper about Cross-Site Request Forge..., including some real-world vulnerability examples from ING Direct, YouTube, MetaFilter, and The New York Times. As you all know so well, CSRF vulnerabilities are easy find when you just decide to look on basically any website. Don’t expect any ground breaking research per-say, but the papers content is really helpful to those unfamiliar with CSRF (and that’s still a lot people - especially developers). Ed and Bill also did some work on a potential client-side solution, like LocalRodeo I think, which I hope to find time to investigate further. We need as many smart people as we can trying to solve this problem in creative ways. CSRF certainly isn’t going to go away anytime soon. WhiteHat Security is a leading provider of web application security services. WhiteHat Sentinel, the companys flagship service, provides continuous web applications vulnerability assessment and management. [...]
One question, how can you make cross-domain post request from Javascript?
[...] out of a user’s account, or to create additional accounts of behalf of a victim, according to this post from Freedom to Tinker blogger Bill Zeller.” addthis_url = [...]
[...] - Popular Websites Vulnerable to Cross-Site Request Forgery Attacks | Freedom to Tinker (tags: [...]
It just takes a commitment to building security into an application before it goes live. If companies like the NYT and ING Direct took a leadership position in being proactive rather than reactive, the rest would hopefully fall into line. Refusing to do business with organizations that don't take web security seriously is another possible solution.
There are some good resources about this in the following places:
Blog post: The Web Browser - Security Threat Number One
http://www.pcis.com/web/vvblog.nsf/dx/the-web-browser-security-threat-nu...
Devfense web application security
http://www.boonbox.net/devfense.htm
White Paper: Implications of outsourcing web application security
http://www.boonbox.net/pdf/WP_OutsourcingWAS_2008August.pdf
The article suggests that a POST request can be sent across domain from Firefox
without extended privileges.
I do not believe this is possible, unless there is a hole in the same origin policy.
This is only true for xmlhttprequest object.
However, you can have a page with hidden forms that do posts on any server.
WHEN U R READING THIS DONT STOP OR SOMETHING BAD WILL HAPPEN! MY NAME IS SUMMER I AM 15 YEARS OLD i have BLONDE HAIR ,MANY SCARS no NOSE OR EARS.. I AM DEAD. IF U DONT COPY THIS JUST LIKE FROM THE RING, COPY N POST THIS ON 5 MORE SITES.. OR.. SUMMER WILL APPEAR ONE DARK QUIET NIGHT WHEN UR NOT ExPECTING IT BY YOUR BED WITH A KNIFE AND KILL U. THIS IS NO JOKE SOMETHING GOOD WILL HAPPEN TO U IF YOU POST THIS ON 5 MORE PAGES WHEN U R READING THIS DONT STOP OR SOMETHING BAD WILL HAPPEN! MY NAME IS SUMMER I AM 15 YEARS OLD i have BLONDE HAIR ,MANY SCARS no NOSE OR EARS.. I AM DEAD. IF U DONT COPY THIS JUST LIKE FROM THE RING, COPY N POST THIS ON 5 MORE SITES.. OR.. SUMMER WILL APPEAR ONE DARK QUIET NIGHT WHEN UR NOT ExPECTING IT BY YOUR BED WITH A KNIFE AND KILL U. THIS IS NO JOKE SOMETHING GOOD WILL HAPPEN TO U IF YOU POST THIS ON 5
Oh God. Here they come: blog comment chainletters.
I suppose it was only a matter of time.
[...] the Freedom to Tinker blog, Bill Zeller offers one of the best, most concise explanation of XSRF that I’ve read to date: [...]
[...] Bill Zeller offers a good description of what this is CSRF vulnerabilities occur when a website allows an authenticated user to perform a sensitive action but does not verify that the user herself is invoking that action. The key to understanding CSRF attacks is to recognize that websites typically don’t verify that a request came from an authorized user. Instead they verify only that the request came from the browser of an authorized user. Because browsers run code sent by multiple sites, there is a danger that one site will (unbeknownst to the user) send a request to a second site, and the second site will mistakenly think that the user authorized the request. [...]
[...] Referans: Freedom to Tinker [...]
[...] the Freedom to Tinker blog, Bill Zeller offers one of the best, most concise explanation of XSRF that I've read to [...]
[...] populäre Seiten betroffen sind, zeigt eine Ausarbeitung von Bill Zeller und Ed Felten. In einem Blog-Eintrag sprechen sie unter anderem über YouTube, wo so ziemlich alles anfällig war, aber auch über eine [...]
情趣用品,情趣用品,情趣用品,情趣用品,情趣,情趣,情趣,情趣,按摩棒,震動按摩棒,微調按摩棒,情趣按摩棒,逼真按摩棒,G點,跳蛋,跳蛋,跳蛋,性感內衣,飛機杯,充氣娃娃,情趣娃娃,角色扮演,性感睡衣,SM,潤滑液,威而柔,香水,精油,芳香精油,自慰套,自慰,性感吊帶襪,吊帶襪AIO交友愛情館,美女視訊,情色交友,視訊交友,辣妹視訊,美女交友,嘟嘟成人網,成人網站,A片,A片下載,免費A片,免費A片下載愛情公寓,情色,舊情人,情色貼圖,情色文學,情色交友,色情聊天室,色情小說,一葉情貼圖片區,情色小說,色情,色情遊戲,情色視訊,情色電影,aio交友愛情館,色情a片,一夜情,辣妹視訊,視訊聊天室,免費視訊聊天,免費視訊,視訊,視訊美女,美女視訊,視訊交友,視訊聊天,免費視訊聊天室,情人視訊網,影音視訊聊天室,視訊交友90739,成人影片,成人交友,美女交友,微風成人,嘟嘟成人網,成人貼圖,成人電影,A片,豆豆聊天室,聊天室,UT聊天室,尋夢園聊天室,男同志聊天室,UT男同志聊天室,聊天室尋夢園,080聊天室,080苗栗人聊天室,6K聊天室,女同志聊天室,小高聊天室,上班族聊天室,080中部人聊天室,同志聊天室,聊天室交友,中部人聊天室,成人聊天室,一夜情聊天室,情色聊天室,寄情築園小遊戲,AV女優,A片下載,免費A片,日本A片,麗的色遊戲,色色網,情色論壇,嘟嘟情人色網,色情網站,成人網站,成人論壇,成人小說,微風成人區,色美媚部落格,正妹牆,正妹百人斬,aio,伊莉,伊莉討論區,成人文章,成人圖片區,免費成人影片,成人遊戲,成人影城,本土自拍,自拍,癡漢俱樂部情境坊歡愉用品,情趣用品,情人節禮物,情人節,AIO交友愛情館,情惑用品性易購,視訊交友90739,生日禮物,正妹牆,情境坊歡愉用品,保險套,A片
[...] cross-site request forgery es una realidad y aunque usé a Amazon como un ejemplo, hay casos reales documentados y un muy buen paper del tema creado por William Zeller y Edward Felten que está con muchos más [...]
[...] see also Bill Zeller’s blog post describing the attack and the Wikipedia page for cross-site request [...]
禪師和小偷
紙為媒
腳下的風景
一元錢借貸
遠方的燈光
盲人不盲
不妙的想像
思想,是你的人生部隊長
人生沒有回頭路
被遊戲拯救
enjoy the life
當資本遇上智慧
鎖定目標,追求高績效
心理平衡是好心情的導師
it’s healthy for u
南轅北轍
抱怨上級不如低頭反省自己
傳遞愛心
有想法,更要有行動
你現下的心情對嗎
愛要刻在石頭上
開始下雨
外面的雨漸漸小了
血腥瑪莉
明天休息
下次見
Post new comment