I was wondering if CSRF attacks works through images...

BCEmporium

legendary

Activity: 1218

Merit: 1000

Quote from: fascistmuffin on June 30, 2011, 01:14:56 AM

Quote from: cmh on June 29, 2011, 10:41:55 PM

Here, this one will log you out of a regular gmail account. ~~https://mail.google.com/mail/?logout&hl=en" />~~
I decided to remove it so everybody doesn't get mad at me.

Time to start to troll other forums with that as the sig image. Grin

But in all seriousness, I'm surprised Google falls for this. I always imagined they were mostly on top of web design best practices and security.

Some functions are harmless, like log you out. To the worse what would happen is you to have to login again.
You can prevent that with a token, eg: ?logout&hl=en&token=23nikhu so his image wouldn't do nothing missing the token (that should be something random)

fascistmuffin

newbie

Activity: 56

Merit: 0

Quote from: cmh on June 29, 2011, 10:41:55 PM

Here, this one will log you out of a regular gmail account. ~~https://mail.google.com/mail/?logout&hl=en" />~~
I decided to remove it so everybody doesn't get mad at me.

Time to start to troll other forums with that as the sig image. Grin

But in all seriousness, I'm surprised Google falls for this. I always imagined they were mostly on top of web design best practices and security.

DamienBlack

jr. member

Activity: 56

Merit: 1

That is crazy. So when all the sites had CSRF vulnerabilities, we could have all been hijacked with imbedded images that we never see. Just browsing the forum was dangerous. I guess most CSRF exploits read a cookie for session information, but still...

cmh

newbie

Activity: 21

Merit: 0

Here, this one will log you out of a regular gmail account. ~~https://mail.google.com/mail/?logout&hl=en" />~~
I decided to remove it so everybody doesn't get mad at me.

cmh

newbie

Activity: 21

Merit: 0

If it doesn't work for you, see if you are really logged into a "google accounts" account. It won't log you out of a regular gmail account.

Klestin

hero member

Activity: 493

Merit: 500

It will only work on sites which take an action on a GET, since images are always a GET and not a POST. So, rule number 1 of site design is to never do anything destructive on a GET. In general, logging out is about the worst you can do to someone on a reputable site.

qed

full member

Activity: 196

Merit: 100

Quote from: BCEmporium on June 29, 2011, 09:19:01 PM

Yes it DOES work, it's a matter of the REQUEST not the RETURN.

If you're logged in to www.xpto.com

and get into the xpto.com's attacker site www.scammerzR.us a fake image from scammerzR.us can make you perform some request at xpto.com.
Let's say, www.xpto.com's creator is lousy coder, to withdraw btc all you've to do is call withdraw.php?amount=10&addr=bitcoinAddress...
An image at scammerzR.us pointing at

http://www.xpto.com/withdraw.php?amount=all&addr=scammerzRusAddress" /> would make you transfer all from your account to his.

CSRF is however a veryyyyyyyy long shot attack, the attacker has to have a reason to believe you may be logged in to the target site to input that sort of code. Normally this works better against sites like Facebook where even if currently you're not there you may have an auth cookie.

Not working for me on google. If it does work for www.xpto.com it plain means it is an awful site.

BCEmporium

legendary

Activity: 1218

Merit: 1000

Yes it DOES work, it's a matter of the REQUEST not the RETURN.

If you're logged in to www.xpto.com

and get into the xpto.com's attacker site www.scammerzR.us a fake image from scammerzR.us can make you perform some request at xpto.com.
Let's say, www.xpto.com's creator is lousy coder, to withdraw btc all you've to do is call withdraw.php?amount=10&addr=bitcoinAddress...
An image at scammerzR.us pointing at

http://www.xpto.com/withdraw.php?amount=all&addr=scammerzRusAddress" /> would make you transfer all from your account to his.

CSRF is however a veryyyyyyyy long shot attack, the attacker has to have a reason to believe you may be logged in to the target site to input that sort of code. Normally this works better against sites like Facebook where even if currently you're not there you may have an auth cookie.

bluefirecorp

legendary

Activity: 882

Merit: 1000

What the hell, it DOES work.

Logged me outta my google account, I use windows 7 ult with google chrome
0.0

qed

full member

Activity: 196

Merit: 100

Quote from: Chick on June 29, 2011, 08:55:20 PM

Quote from: qed on June 29, 2011, 08:54:42 PM

This is the dumbest thing I have ever seen. Images are not being opened as a page /facepalm.

Quit the spam.

Yes, but your browser sends a http request to the url.

But, but...

Not working + spam thread => Big fail.

Chick

member

Activity: 70

Merit: 10

Quote from: qed on June 29, 2011, 08:54:42 PM

This is the dumbest thing I have ever seen. Images are not being opened as a page /facepalm.

Quit the spam.

Yes, but your browser sends a http request to the url.

qed

full member

Activity: 196

Merit: 100

This is the dumbest thing I have ever seen. Images are not being opened as a page /facepalm.

Quit the spam.

Chick

member

Activity: 70

Merit: 10

Since your browser goes the page itself to fetch the image for you to see I'm just curious if this would work.

Oh, thats cool, it really does log me out of Google. LOL, take a look at the url yourself.

Topic: I was wondering if CSRF attacks works through images... (Read 1390 times)