Jeff Atwood wrote a good article explaining the danger of XSRF and XSS
1) I want to confirm that checking UrlReferrer [hoping to prevent XSRF attack] is a waste of time. UrlReferrer can be spoofed by malicious user. Such spoofing can be done by combination of XSS and XSRF attack: injecting javascript into HTML output (XSS) on one web page and producing forged request (XSRF) pointing to another page of the same web site.
Jeff is also correct that legitimate users may have empty UrlReferrer. Rejecting such users is a mistake.
2) I agree that introducing parameters cuts off the most obvious XSRF attacks.
But if one of your pages is XSS vulnerable (allows javascript injection), then even if you have dynamic parameters to prevent XSRF (on another page), javascript can still read these dynamic parameters and re-submit them, so the request would succeed.
That's how Gmail was hacked -- the hacker used XSS vulnerability on some obscure Google's web site site in order to exploit XSRF vulnerability in Gmail).
Wednesday, September 24, 2008
Subscribe to:
Posts (Atom)