RE: [PHP] CSRF attack not possible in I.E. 6.01 SP1?
[snip] I am working on securing an application that uses CDSSO (Cross Domain Single Sign On). I am trying to reproduce the CSRF (Cross Site Request Forgery) attack (using img/ TAG) in I.E. 6.01, but am unable to do so. However the attack works on Mozilla and other older browsers. My question: Is I.E. 6.01 SP1 doing something to foil the CSRF attack, i.e. only allow image extensions .gif .png .jpeg? [/snip] You would have to ask the Microsoft Development Group, who probably does not subscribe to this list. Crossposting is bad. Being OT during a crosspost is even worse. I can hear the falmethrowers warming up in the wings. FYI - This is (or use to be) a PHP list -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] CSRF attack not possible in I.E. 6.01 SP1?
Perhaps the question could be asked another way and be more on topic. Is there a fix in I.E. 6.01 that would interfere with PHP being able to generate different mime types on the fly, like .png or .jpg Thanks, Warren Vail -Original Message- From: Jay Blanchard [mailto:[EMAIL PROTECTED] Sent: Monday, August 16, 2004 10:57 AM To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: [PHP] CSRF attack not possible in I.E. 6.01 SP1? [snip] I am working on securing an application that uses CDSSO (Cross Domain Single Sign On). I am trying to reproduce the CSRF (Cross Site Request Forgery) attack (using img/ TAG) in I.E. 6.01, but am unable to do so. However the attack works on Mozilla and other older browsers. My question: Is I.E. 6.01 SP1 doing something to foil the CSRF attack, i.e. only allow image extensions .gif .png .jpeg? [/snip] You would have to ask the Microsoft Development Group, who probably does not subscribe to this list. Crossposting is bad. Being OT during a crosspost is even worse. I can hear the falmethrowers warming up in the wings. FYI - This is (or use to be) a PHP list -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] CSRF attack not possible in I.E. 6.01 SP1? WOT
[snip] Perhaps the question could be asked another way and be more on topic. Is there a fix in I.E. 6.01 that would interfere with PHP being able to generate different mime types on the fly, like .png or .jpg [/snip] a. But that wasn't what he asked. 2. Top-posting === bad -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] CSRF attack not possible in I.E. 6.01 SP1?
--- Jay Blanchard [EMAIL PROTECTED] wrote: You would have to ask the Microsoft Development Group, who probably does not subscribe to this list. Crossposting is bad. Being OT during a crosspost is even worse. I can hear the falmethrowers warming up in the wings. FYI - This is (or use to be) a PHP list I won't defend cross-posting, but I think CSRF is very on-topic. Chris = Chris Shiflett - http://shiflett.org/ PHP Security - O'Reilly Coming Fall 2004 HTTP Developer's Handbook - Sams http://httphandbook.org/ PHP Community Site http://phpcommunity.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] CSRF attack not possible in I.E. 6.01 SP1?
Jay Blanchard wrote: FYI - This is (or use to be) a PHP list If I have a web server running php, how do I change the oil in my car? -- John C. Nichel ÜberGeek KegWorks.com 716.856.9675 [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] CSRF attack not possible in I.E. 6.01 SP1?
--- [EMAIL PROTECTED] wrote: My question: Is I.E. 6.01 SP1 doing something to foil the CSRF attack, i.e. only allow image extensions .gif .png .jpeg? This seems highly unlikely. Can you show us the code you're using to test? Chris = Chris Shiflett - http://shiflett.org/ PHP Security - O'Reilly Coming Fall 2004 HTTP Developer's Handbook - Sams http://httphandbook.org/ PHP Community Site http://phpcommunity.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] CSRF attack not possible in I.E. 6.01 SP1? WOT
--- Jay Blanchard [EMAIL PROTECTED] wrote: [snip] Perhaps the question could be asked another way and be more on topic. Is there a fix in I.E. 6.01 that would interfere with PHP being able to generate different mime types on the fly, like .png or .jpg [/snip] a. But that wasn't what he asked. Actually, that's exactly what he asked, just rephrased. :-) Chris = Chris Shiflett - http://shiflett.org/ PHP Security - O'Reilly Coming Fall 2004 HTTP Developer's Handbook - Sams http://httphandbook.org/ PHP Community Site http://phpcommunity.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] CSRF attack not possible in I.E. 6.01 SP1?
Thanks Chris, Yup I think my posting is very on-topic. The application that I am working on is written in PHP. And I m sure all PHP developers check their applications for CSRF vulnerability, in various browsers (including I.E. ). As a PHP/Java developer, I would be interested to know what I.E. is doing in their browsers to prevent CSRF attacks. I m not trying to start a browser war here. Regards, Saqib Ali http://validate.sf.net DocBook XML - XHTML / PDF Convertor Chris Shiflett [EMAIL PROTECTED] No Phone Info Available 08/16/2004 11:17 AM Please respond to [EMAIL PROTECTED] To Jay Blanchard [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED] cc Subject RE: [PHP] CSRF attack not possible in I.E. 6.01 SP1? --- Jay Blanchard [EMAIL PROTECTED] wrote: You would have to ask the Microsoft Development Group, who probably does not subscribe to this list. Crossposting is bad. Being OT during a crosspost is even worse. I can hear the falmethrowers warming up in the wings. FYI - This is (or use to be) a PHP list I won't defend cross-posting, but I think CSRF is very on-topic. Chris = Chris Shiflett - http://shiflett.org/ PHP Security - O'Reilly Coming Fall 2004 HTTP Developer's Handbook - Sams http://httphandbook.org/ PHP Community Site http://phpcommunity.org/
RE: [PHP] CSRF attack not possible in I.E. 6.01 SP1?
[snip] Yup I think my posting is very on-topic. The application that I am working on is written in PHP. [/snip] Thanks for stating that in your original post.
Re: [PHP] CSRF attack not possible in I.E. 6.01 SP1?
Hello Chris, I can't share the exact code ;) , but here is something very similar: img src=http://slashdot.org/my/logout; height=1 width=1 If I load a web page with the above code, it should log me out of slashdot. It works in Mozilla (and netscape), but not in I.E. 6.01 SP1 downloads.seagate.com Chris Shiflett [EMAIL PROTECTED] No Phone Info Available 08/16/2004 11:24 AM Please respond to [EMAIL PROTECTED] To [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED] cc Subject Re: [PHP] CSRF attack not possible in I.E. 6.01 SP1? --- [EMAIL PROTECTED] wrote: My question: Is I.E. 6.01 SP1 doing something to foil the CSRF attack, i.e. only allow image extensions .gif .png .jpeg? This seems highly unlikely. Can you show us the code you're using to test? Chris = Chris Shiflett - http://shiflett.org/ PHP Security - O'Reilly Coming Fall 2004 HTTP Developer's Handbook - Sams http://httphandbook.org/ PHP Community Site http://phpcommunity.org/
RE: [PHP] CSRF attack not possible in I.E. 6.01 SP1?
--- [EMAIL PROTECTED] wrote: And I m sure all PHP developers check their applications for CSRF vulnerability, in various browsers (including I.E. ). I speak about CSRF in many of the talks I give, and I think you'd be surprised by how many people haven't even heard of it. As a PHP/Java developer, I would be interested to know what I.E. is doing in their browsers to prevent CSRF attacks. I m not trying to start a browser war here. Well, to be fair, even if it is true that IE does not request a URL referenced in an img tag unless the file extension matches a known image type, this isn't a complete or even optimal solution to the problem. Also, as Web developers, we can't assume that 100% of users are using this specific browser anyway, and that's the only way that it could eliminate the need to be mindful of CSRF attacks when we're writing our PHP code. Chris = Chris Shiflett - http://shiflett.org/ PHP Security - O'Reilly Coming Fall 2004 HTTP Developer's Handbook - Sams http://httphandbook.org/ PHP Community Site http://phpcommunity.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] CSRF attack not possible in I.E. 6.01 SP1?
--- [EMAIL PROTECTED] wrote: I can't share the exact code ;) , but here is something very similar: img src=http://slashdot.org/my/logout; height=1 width=1 If I load a web page with the above code, it should log me out of slashdot. It works in Mozilla (and netscape), but not in I.E. 6.01 SP1 The best information would be if you can capture the exact HTTP transactions involved. For example, using something like ethereal, capture the request and response for Mozilla, and then do the same for IE 6.01 SP1. Short of that, you could create a URL specifically made for testing this. You can create a PHP file called csrf.php and another called csrf.png. Make .png files be interepreted as PHP (just for the purposes of this test), and then you can log a lot of useful information in your test scripts. Hope that helps. Chris = Chris Shiflett - http://shiflett.org/ PHP Security - O'Reilly Coming Fall 2004 HTTP Developer's Handbook - Sams http://httphandbook.org/ PHP Community Site http://phpcommunity.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] CSRF attack not possible in I.E. 6.01 SP1?
-Original Message- Jay Blanchard wrote: FYI - This is (or use to be) a PHP list If I have a web server running php, how do I change the oil in my car? Have you tried the OilChange class from PHPClasses.org? ;) -Ed -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] CSRF attack not possible in I.E. 6.01 SP1?
What if you add a random seed to the URL? img src=http://slashdot.org/my/logout?fluff=?php echo rand(1,200);? height=1 width=1 -Original Message- Hello Chris, I can't share the exact code ;) , but here is something very similar: img src=http://slashdot.org/my/logout; height=1 width=1 If I load a web page with the above code, it should log me out of slashdot. It works in Mozilla (and netscape), but not in I.E. 6.01 SP1 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] CSRF attack not possible in I.E. 6.01 SP1?
-Original Message- The best information would be if you can capture the exact HTTP transactions involved. For example, using something like ethereal, capture the request and response for Mozilla, and then do the same for IE 6.01 SP1. Short of that, you could create a URL specifically made for testing this. You can create a PHP file called csrf.php and another called csrf.png. Make .png files be interepreted as PHP (just for the purposes of this test), and then you can log a lot of useful information in your test scripts. Wouldn't it work to just make the script spit out a mime type header and a small (1x1) image when it's done to satisfy the browser's mime type requirements? -Ed -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] CSRF attack not possible in I.E. 6.01 SP1?
--- Ed Lazor [EMAIL PROTECTED] wrote: Wouldn't it work to just make the script spit out a mime type header and a small (1x1) image when it's done to satisfy the browser's mime type requirements? Definitely, but most CSRF attacks are meant to spoof a request from the legitimate user to some Web site where he/she already has privilege. Thus, the receiving site is usually as much the victim as the user. I'm not sure if that makes any sense... :-) Chris = Chris Shiflett - http://shiflett.org/ PHP Security - O'Reilly Coming Fall 2004 HTTP Developer's Handbook - Sams http://httphandbook.org/ PHP Community Site http://phpcommunity.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] CSRF attack not possible in I.E. 6.01 SP1?
-Original Message- Definitely, but most CSRF attacks are meant to spoof a request from the legitimate user to some Web site where he/she already has privilege. Thus, the receiving site is usually as much the victim as the user. I'm not sure if that makes any sense... :-) It does =) -Ed -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] CSRF attack not possible in I.E. 6.01 SP1?
Why is so important if Internet Explorer allows URLS of images where the file name is only .jpg, .png, or .gif? A url can be something like: http://www.site.com/script.php/image.jpg?logout=true Internet Explorer might think that the file is a .jpg and that script.php is a directory but only the target web server knows which is the program. Or a PHP code might be contained in a image.jpg file. Teddy Teddy - Original Message - From: Chris Shiflett [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: Jay Blanchard [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Monday, August 16, 2004 9:52 PM Subject: RE: [PHP] CSRF attack not possible in I.E. 6.01 SP1? --- [EMAIL PROTECTED] wrote: And I m sure all PHP developers check their applications for CSRF vulnerability, in various browsers (including I.E. ). I speak about CSRF in many of the talks I give, and I think you'd be surprised by how many people haven't even heard of it. As a PHP/Java developer, I would be interested to know what I.E. is doing in their browsers to prevent CSRF attacks. I m not trying to start a browser war here. Well, to be fair, even if it is true that IE does not request a URL referenced in an img tag unless the file extension matches a known image type, this isn't a complete or even optimal solution to the problem. Also, -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] CSRF attack not possible in I.E. 6.01 SP1?
Hello, I m not saying the I.E. completely fixed the CSRF attacks, by only allowing .jpg .gif .png files. But it might be one possible way to minimize CSRF attack, just like using POST vs GET can help minimize the chances of that attack. BTW, using POST instead of GET does NOT guarantee that an CSRF attack will not work, either. Thanks. Saqib Ali http://validate.sf.net XHTML/DocBook XML Validator and Transformer Octavian Rasnita [EMAIL PROTECTED] No Phone Info Available 08/16/2004 12:57 PM To [EMAIL PROTECTED], [EMAIL PROTECTED] cc Jay Blanchard [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED] Subject Re: [PHP] CSRF attack not possible in I.E. 6.01 SP1? Why is so important if Internet Explorer allows URLS of images where the file name is only .jpg, .png, or .gif? A url can be something like: http://www.site.com/script.php/image.jpg?logout=true Internet Explorer might think that the file is a .jpg and that script.php is a directory but only the target web server knows which is the program. Or a PHP code might be contained in a image.jpg file. Teddy Teddy - Original Message - From: Chris Shiflett [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: Jay Blanchard [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Monday, August 16, 2004 9:52 PM Subject: RE: [PHP] CSRF attack not possible in I.E. 6.01 SP1? --- [EMAIL PROTECTED] wrote: And I m sure all PHP developers check their applications for CSRF vulnerability, in various browsers (including I.E. ). I speak about CSRF in many of the talks I give, and I think you'd be surprised by how many people haven't even heard of it. As a PHP/Java developer, I would be interested to know what I.E. is doing in their browsers to prevent CSRF attacks. I m not trying to start a browser war here. Well, to be fair, even if it is true that IE does not request a URL referenced in an img tag unless the file extension matches a known image type, this isn't a complete or even optimal solution to the problem. Also, -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] CSRF attack not possible in I.E. 6.01 SP1?
Hello Chris, Upon your suggestion, I used a sniffer to sniff traffic for the web app that I am working on. To my surprise, the data captured during the sniff for both browsers was exactly the same. Which mean my theory of limiting the img/ TAG to .gif .jpeg .png is NOT true. So now I am completely clueless as to why this particular attacks works in Mozilla but not in IE. Any ideas? Thanks. Saqib Ali http://validate.sf.net XHTML/DocBook XML Validator and Transformer Chris Shiflett [EMAIL PROTECTED] No Phone Info Available 08/16/2004 11:55 AM Please respond to [EMAIL PROTECTED] To [EMAIL PROTECTED], [EMAIL PROTECTED] cc [EMAIL PROTECTED], [EMAIL PROTECTED] Subject Re: [PHP] CSRF attack not possible in I.E. 6.01 SP1? --- [EMAIL PROTECTED] wrote: I can't share the exact code ;) , but here is something very similar: img src=http://slashdot.org/my/logout; height=1 width=1 If I load a web page with the above code, it should log me out of slashdot. It works in Mozilla (and netscape), but not in I.E. 6.01 SP1 The best information would be if you can capture the exact HTTP transactions involved. For example, using something like ethereal, capture the request and response for Mozilla, and then do the same for IE 6.01 SP1. Short of that, you could create a URL specifically made for testing this. You can create a PHP file called csrf.php and another called csrf.png. Make .png files be interepreted as PHP (just for the purposes of this test), and then you can log a lot of useful information in your test scripts. Hope that helps. Chris = Chris Shiflett - http://shiflett.org/ PHP Security - O'Reilly Coming Fall 2004 HTTP Developer's Handbook - Sams http://httphandbook.org/ PHP Community Site http://phpcommunity.org/
Re: [PHP] CSRF attack not possible in I.E. 6.01 SP1?
--- Octavian Rasnita [EMAIL PROTECTED] wrote: Why is so important if Internet Explorer allows URLS of images where the file name is only .jpg, .png, or .gif? A url can be something like: http://www.site.com/script.php/image.jpg?logout=true This is definitely true, but as I mentionde in a previous reply, the point of most CSRF attacks is to spoof a request from a trusted user to another Web site. Thus, both the user and the other Web site are the victims. Most Web sites don't have pages that use the .png extension. The attacker isn't the receiving site; he/she is the person launching the attack that causes the spoofed request. For more information, since I fear my brief description is inadequate, you can see these resources: http://shiflett.org/articles/foiling-cross-site-attacks http://shiflett.org/talks/oscon2004/foiling-cross-site-attacks http://shiflett.org/php-security.pdf Hope that helps. Chris = Chris Shiflett - http://shiflett.org/ PHP Security - O'Reilly Coming Fall 2004 HTTP Developer's Handbook - Sams http://httphandbook.org/ PHP Community Site http://phpcommunity.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] CSRF attack not possible in I.E. 6.01 SP1?
--- [EMAIL PROTECTED] wrote: Upon your suggestion, I used a sniffer to sniff traffic for the web app that I am working on. To my surprise, the data captured during the sniff for both browsers was exactly the same. Can you elaborate or post the exact requests sent from each browser? I'm assuming the User-Agent header was different, at the very least, so I question what exactly means in this case. :-) Chris = Chris Shiflett - http://shiflett.org/ PHP Security - O'Reilly Coming Fall 2004 HTTP Developer's Handbook - Sams http://httphandbook.org/ PHP Community Site http://phpcommunity.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] CSRF attack not possible in I.E. 6.01 SP1?
Hello Curt, Yes, the /. system depends on cookies to keep the user logged in. However a CSRF attack is NOT trying to access a third party cookie. The web browser make the same GET request whether it is using img/ TAG or the user clicking on a link. So in either case the cookies are in the context of the website to which the cookies belong. Maybe Chris can correct me, if I am wrong here. Thanks. Saqib Ali http://validate.sf.net XHTML/DocBook XML Validator and Transformer Curt Zirzow [EMAIL PROTECTED] No Phone Info Available 08/16/2004 02:40 PM To [EMAIL PROTECTED] cc Subject Re: [PHP] CSRF attack not possible in I.E. 6.01 SP1? * Thus wrote [EMAIL PROTECTED]: Hello Chris, I can't share the exact code ;) , but here is something very similar: img src=http://slashdot.org/my/logout; height=1 width=1 If I load a web page with the above code, it should log me out of slashdot. It works in Mozilla (and netscape), but not in I.E. 6.01 SP1 I'm not sure how the /. logout system works, but my guess is that they rely on cookies to do this. Since that is a different site than from the originating file, those cookies would be considered third party. I know in IE you can disable third party cookie access. Curt -- First, let me assure you that this is not one of those shady pyramid schemes you've been hearing about. No, sir. Our model is the trapezoid! -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] CSRF attack not possible in I.E. 6.01 SP1?
* Thus wrote [EMAIL PROTECTED]: Hello Chris, I can't share the exact code ;) , but here is something very similar: img src=http://slashdot.org/my/logout; height=1 width=1 If I load a web page with the above code, it should log me out of slashdot. It works in Mozilla (and netscape), but not in I.E. 6.01 SP1 I'm not sure how the /. logout system works, but my guess is that they rely on cookies to do this. Since that is a different site than from the originating file, those cookies would be considered third party. I know in IE you can disable third party cookie access. Curt -- First, let me assure you that this is not one of those shady pyramid schemes you've been hearing about. No, sir. Our model is the trapezoid! -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] CSRF attack not possible in I.E. 6.01 SP1?
-Original Message- So now I am completely clueless as to why this particular attacks works in Mozilla but not in IE. Could you describe the problem again and give full detail? I think we need to better model the problem in order to present a more effective solution. The link below goes to a page I found that describes CSRF a little differently than what Chris was presenting - to give a different perspective on things. http://www.squarefree.com/securitytips/web-developers.html -Ed -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] CSRF attack not possible in I.E. 6.01 SP1?
Hello Ed, To give some details: I am unable to re-produce a CSRF attack when the victim is using a I.E. 6.01 SP1 (all patches applied). However the attack works in Mozilla and other older browsers. I can't give you the exact code for attack (for security reasons), but it is similar to the following: If you insert the following HTML code in any web page residing at any domain, it will cause you to be logged out of /. if you previously logged in the /. system: img src=http://slashdot.org/my/logout; height=1 width=1 This type of attack makes use of CSRF. Try to insert the above HTML line a web page of your choice, and then load the web page. If you are using Mozilla, it will log you off from /. However in the latest build of I.E. it doesn't work, whereas it should work. Thanks. Saqib Ali http://validate.sf.net XHTML/DocBook XML Validator and Transformer Ed Lazor [EMAIL PROTECTED] No Phone Info Available 08/16/2004 02:26 PM To [EMAIL PROTECTED] cc Subject RE: [PHP] CSRF attack not possible in I.E. 6.01 SP1? -Original Message- So now I am completely clueless as to why this particular attacks works in Mozilla but not in IE. Could you describe the problem again and give full detail? I think we need to better model the problem in order to present a more effective solution. The link below goes to a page I found that describes CSRF a little differently than what Chris was presenting - to give a different perspective on things. http://www.squarefree.com/securitytips/web-developers.html -Ed -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] CSRF attack not possible in I.E. 6.01 SP1?
--- [EMAIL PROTECTED] wrote: Hello Curt, Yes, the /. system depends on cookies to keep the user logged in. However a CSRF attack is NOT trying to access a third party cookie. The web browser make the same GET request whether it is using img/ TAG or the user clicking on a link. So in either case the cookies are in the context of the website to which the cookies belong. Maybe Chris can correct me, if I am wrong here. Well, you're not really wrong, but I think I can clarify what Curt was trying to say, and then he can correct me if I'm wrong. :-) When a browser makes a request for an embedded resource (an image is just one example), it is identical to the request it would make if the user were to browse to that same URL manually. I think we're all in agreement here. Thus, the same cookies would be included in this request. What Curt is suggesting, I believe, is that your version of IE might behave differently, by default. It might not include cookies in requests for embedded resources when those resources are located at a different domain (thus his mention of third-party cookies). For example, if you're at http://example.org/, and it has an image from http://slashdot.org/, the browser won't include it's slashdot.org cookies when making the request to Slashdot. This is an option for most browsers, but it has never been the default behavior for any, to my knowledge. Maybe that helps clarify something... :-) Chris = Chris Shiflett - http://shiflett.org/ PHP Security - O'Reilly Coming Fall 2004 HTTP Developer's Handbook - Sams http://httphandbook.org/ PHP Community Site http://phpcommunity.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] CSRF attack not possible in I.E. 6.01 SP1?
--- Curt Zirzow [EMAIL PROTECTED] wrote: I'm not sure how the /. logout system works, but my guess is that they rely on cookies to do this. Since that is a different site than from the originating file, those cookies would be considered third party. I know in IE you can disable third party cookie access. Good call, Curt. :-) You can disable this in other Web clients as well, but I don't think it's the default behavior for anything. Perhaps this particular version of IE does not send cookies in requests for embedded resources? This does seem like a plus. Chris = Chris Shiflett - http://shiflett.org/ PHP Security - O'Reilly Coming Fall 2004 HTTP Developer's Handbook - Sams http://httphandbook.org/ PHP Community Site http://phpcommunity.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] CSRF attack not possible in I.E. 6.01 SP1?
--- Ed Lazor [EMAIL PROTECTED] wrote: The link below goes to a page I found that describes CSRF a little differently than what Chris was presenting - to give a different perspective on things. http://www.squarefree.com/securitytips/web-developers.html It doesn't seem to be different, actually. It just fails to elaborate much at all. For a non-Chris description of CSRF, you can always have a look at the original description: http://www.tux.org/~peterw/csrf.txt This is at least a little more complete. I think CSRF is a bit difficult for someone to grasp at first, especially within a few sentences. :-) Chris = Chris Shiflett - http://shiflett.org/ PHP Security - O'Reilly Coming Fall 2004 HTTP Developer's Handbook - Sams http://httphandbook.org/ PHP Community Site http://phpcommunity.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] CSRF attack not possible in I.E. 6.01 SP1?
--- [EMAIL PROTECTED] wrote: To give some details: I am unable to re-produce a CSRF attack when the victim is using a I.E. 6.01 SP1 (all patches applied). However the attack works in Mozilla and other older browsers. I can't give you the exact code for attack (for security reasons), but it is similar to the following: If you insert the following HTML code in any web page residing at any domain, it will cause you to be logged out of /. if you previously logged in the /. system: img src=http://slashdot.org/my/logout; height=1 width=1 This type of attack makes use of CSRF. Try to insert the above HTML line a web page of your choice, and then load the web page. If you are using Mozilla, it will log you off from /. However in the latest build of I.E. it doesn't work, whereas it should work. Very nice description of what you've been observing. I still find it impossible to believe that the HTTP requests for http://slashdot.org/my/logout sent from Mozilla and IE are identical. :-) Can you show us the exact requests that you logged? Chris = Chris Shiflett - http://shiflett.org/ PHP Security - O'Reilly Coming Fall 2004 HTTP Developer's Handbook - Sams http://httphandbook.org/ PHP Community Site http://phpcommunity.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] CSRF attack not possible in I.E. 6.01 SP1?
I was able to confirm / reproduce what you're experiencing. I was also able to confirm that toggling IE 6's acceptance of 3rd party cookies changes the behavior. Create an HTML on your local machine with the following line: img src=http://www.atfantasy.com/test/image_status.php; It'll load an image that says the cookie is not set. Next, open a new browser and go to http://www.atfantasy.com/test/index.php It'll set the cookie. Now go back and reload the first browser. It says the cookie is still not set. Go into IE's Privacy options and set IE to accept 3rd party cookies. Do another refresh in the first browser and the image will display saying the cookie is set. The test index also has other options for setting the cookie, unsetting the cookie, and displaying the image directly (not through your local page). I think all of this confirms what Curt was saying. If IE has access to third party cookies disabled, the local page may refer to a script elsewhere, but it won't pass cookies back and forth. Squarefree.com's article (http://www.squarefree.com/securitytips/web-developers.html) recommends a few solutions. -Ed -Original Message- I am unable to re-produce a CSRF attack when the victim is using a I.E. 6.01 SP1 (all patches applied). However the attack works in Mozilla and other older browsers. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] CSRF attack not possible in I.E. 6.01 SP1?
-Original Message- However a CSRF attack is NOT trying to access a third party cookie. The web browser make the same GET request whether it is using img/ TAG or the user clicking on a link. So in either case the cookies are in the context of the website to which the cookies belong. I think Curt was correct actually. Hopefully the test I sent earlier can confirm or at least cross-reference this. -Ed -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] CSRF attack not possible in I.E. 6.01 SP1?
Thanks Curt, Chris and Ed, It is indeed the disabling of third-party cookies that is causing this behaviour in I.E. :) So thanks all the help :) Thanks. Saqib Ali http://validate.sf.net XHTML/DocBook XML Validator and Transformer Ed Lazor [EMAIL PROTECTED] No Phone Info Available 08/16/2004 04:57 PM To [EMAIL PROTECTED], [EMAIL PROTECTED] cc [EMAIL PROTECTED] Subject RE: [PHP] CSRF attack not possible in I.E. 6.01 SP1? -Original Message- However a CSRF attack is NOT trying to access a third party cookie. The web browser make the same GET request whether it is using img/ TAG or the user clicking on a link. So in either case the cookies are in the context of the website to which the cookies belong. I think Curt was correct actually. Hopefully the test I sent earlier can confirm or at least cross-reference this. -Ed -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php