CSRF Isn't Just For Access
One common assumption people make with regards to CSRF is that it is used to escalate privileges or otherwise abuse sessions. While it's certainly useful there, CSRF can also be used to DoS a website by having a few hundred visitors to your site load a resource-intensive page on the target's server. It could also be used to anonymize sql injection, remote file inclusion, and other attacks.
The concept of having a website's normal users abuse another site has fascinated me for a long time- essentially, any high-traffic website could be used to create dynamic, temporary botnets of web browsers. This is neat.
Hold that thought. Wired Magazine is in the running for AdweekMedia's "Best of the 2000s" top magazine of the decade. I'm a big fan of Wired. I'm not a big fan of Rachel Ray, whose magazine is currently in the lead. I'd never heard of Adweekmedia, but like others before me, I can't help laughing when I see an online poll, survey, petition or other people-oriented data-gathering application. While gaming such systems isn't usually very hard, I laugh even harder when I notice the application is vulnerable to CSRF. In the case of this poll, it allows one vote per IP address, but doesn't appear to contain any other restrictions.
It probably raises some ethical issues to perform this kind of attack, and I certainly wouldn't condone this kind of thing. If you want to vote for Wired, you can do so manualy with this url:
http://answers.polldaddy.com/vote/?va=10&pt=0&r=2&p=2232025&a=10937850
For demonstration purposes only, here's a bit of HTML that you could theoretically place in your own website, harnessing the power of your users.
Putting that payload into an XSS worm would get a nice spread of visitors. On the off chance that they check referers, you can iframe in a page with an HTML injection/XSS hole to do it for you:
To be fair, XSS isn't really necessary. They provide us with a bit of Javascript to embed the poll in our own websites. All we have to do is use a bit of our own javascript, and we can hijack that method of poll submission as well.
But why should we restrict ourselves to web browsers? Lots of other applications make HTTP requests, and we can certainly use those ones. favicon.ico and robots.txt are some of the most common URLs for non-web-clients to hit. A few .htaccess rules can be used to help herd bots, malware, and non-browser RSS readers in the right direction:
By posting a few links to Twitter, we can also get the URL prefetchers, anti-malware applicatons, and other bots in line.
Now when I think "Where can I get a lot of IP addresses?" the obvious answer is BitTorrent. We can add the URL in question (or something that redirects to it) to the "announce" and "scrape" sections of a .torrent file. The clients will perform GET requests to specified URL, and everybody is happy. Uploading a torrent of a popular TV show will get you an awful lot of clients, awfully fast. There is another way to get BT clients making requests- an unofficial extension known as WebSeeding allows one to serve up chunks of a file from an HTTP server. Again, there's no reason that BT clients won't follow the occasional redirect and snag a piece from the wrong place. They'll even recognize the pieces as invalid and download them from another location- nobody will ever know that the request was made.
This concludes my random thoughts for the day. Isn't abusing the web fun?
The concept of having a website's normal users abuse another site has fascinated me for a long time- essentially, any high-traffic website could be used to create dynamic, temporary botnets of web browsers. This is neat.
Hold that thought. Wired Magazine is in the running for AdweekMedia's "Best of the 2000s" top magazine of the decade. I'm a big fan of Wired. I'm not a big fan of Rachel Ray, whose magazine is currently in the lead. I'd never heard of Adweekmedia, but like others before me, I can't help laughing when I see an online poll, survey, petition or other people-oriented data-gathering application. While gaming such systems isn't usually very hard, I laugh even harder when I notice the application is vulnerable to CSRF. In the case of this poll, it allows one vote per IP address, but doesn't appear to contain any other restrictions.
It probably raises some ethical issues to perform this kind of attack, and I certainly wouldn't condone this kind of thing. If you want to vote for Wired, you can do so manualy with this url:
http://answers.polldaddy.com/vote/?va=10&pt=0&r=2&p=2232025&a=10937850
For demonstration purposes only, here's a bit of HTML that you could theoretically place in your own website, harnessing the power of your users.
<!-- Help Wired win magazine of the year VIA CSRF. Copy/paste the following code into your websites -->
<img src="http://answers.polldaddy.com/vote/?va=10&pt=0&r=2&p=2232025&a=10937850" width="1" height="1" onerror="this.parentNode.removeChild(this)">Putting that payload into an XSS worm would get a nice spread of visitors. On the off chance that they check referers, you can iframe in a page with an HTML injection/XSS hole to do it for you:
<!-- Help Wired win magazine of the year VIA CSRF. Copy/paste the following code into your websites -->
<iframe src="http://polldaddy.com/ratings/rate.php?cmd=get&id=61037&uid=wp-comment-29028&item_id=_comm_29028%22%3E%3Cimg%20src=%22http%3A%2f%2fanswers.polldaddy.com%2fvote%2f%3Fva%3D10%26pt%3D0%26r%3D2%26p%3D2232025%26a%3D10937850%22%3E" width="1" height="1" >To be fair, XSS isn't really necessary. They provide us with a bit of Javascript to embed the poll in our own websites. All we have to do is use a bit of our own javascript, and we can hijack that method of poll submission as well.
But why should we restrict ourselves to web browsers? Lots of other applications make HTTP requests, and we can certainly use those ones. favicon.ico and robots.txt are some of the most common URLs for non-web-clients to hit. A few .htaccess rules can be used to help herd bots, malware, and non-browser RSS readers in the right direction:
Redirect /robots.txt http://answers.polldaddy.com/vote/?va=10&pt=0&r=2&p=2232025&a=10937850
Redirect /favicon.ico http://answers.polldaddy.com/vote/?va=10&pt=0&r=2&p=2232025&a=10937850
Redirect /info.php http://answers.polldaddy.com/vote/?va=10&pt=0&r=2&p=2232025&a=10937850
Redirect /errors.php http://answers.polldaddy.com/vote/?va=10&pt=0&r=2&p=2232025&a=10937850
Redirect /rss.xml http://answers.polldaddy.com/vote/?va=10&pt=0&r=2&p=2232025&a=10937850
Redirect /atom.xml http://answers.polldaddy.com/vote/?va=10&pt=0&r=2&p=2232025&a=10937850By posting a few links to Twitter, we can also get the URL prefetchers, anti-malware applicatons, and other bots in line.
Now when I think "Where can I get a lot of IP addresses?" the obvious answer is BitTorrent. We can add the URL in question (or something that redirects to it) to the "announce" and "scrape" sections of a .torrent file. The clients will perform GET requests to specified URL, and everybody is happy. Uploading a torrent of a popular TV show will get you an awful lot of clients, awfully fast. There is another way to get BT clients making requests- an unofficial extension known as WebSeeding allows one to serve up chunks of a file from an HTTP server. Again, there's no reason that BT clients won't follow the occasional redirect and snag a piece from the wrong place. They'll even recognize the pieces as invalid and download them from another location- nobody will ever know that the request was made.
This concludes my random thoughts for the day. Isn't abusing the web fun?
Labels: CSRF, Online Polls
posted by mckt at
6:38 PM
3 Comments:
Love it.
CSRF has so many use-cases it's hard to imagine all of them. Although I do give you major bonus points for the robots.txt and even BitTorrent angles ... you could really, really set a poll that way, huh?
Interestingly enough, this is largely due to the fact that the poll allows a GET and doesn't require a POST, which is trivial to fix... but then someone would have to care.
I sense an ID10T error coming...
By
Raf, At
December 4, 2009 7:33 PM
Good and interesting view to the CSRF...
By
yunusov, At
December 6, 2009 2:30 AM
great work man tyvm
By
Anarchy Angel, At
December 14, 2009 11:15 AM
Post a Comment
<< Home