Current mood:	contemplative
Current music:	Laziest Men on Mars - AYBABTU

Cross-site request forgery

The other day I surfed upon News Fight, a website that tracks Digg submissions based on their origin on liberal or right-wing blogs and scores how successful the Digg political communities are at getting their stories on the front page. Fun! Nifty! And this site could tell whether I had personally dugg or buried a story! Wait... WTF?!!!

Yeah, that's a security issue. Some random site should not be able to tell what user I am and what I do on another site. I remember Netscape people swearing cookies are safe and they fixed this sort of thing back in the '90s. Apparently it broke again.

If I'm not mistaken, this is an example of Cross-Site Request Forgery. CSRF is similar to Cross Site Scripting (XSS) except it does not require malicious injection of code into the target website.

Here's the simple version of CSRF. You are logged into site A which is a complex site with user accounts and authentication and everything. In another tab, you visit site B. Some wanker posted code on site B that will access something on site A, like <image src="http://site_A/foobar.php?action=whatever"/> or some javascript calling an XMLHttpRequest. Your browser then sends the request to site A, which thinks the request came from your legitimately logged-in session in the other tab.

The difference between CSRF and the old "let's change the arguments to this guy's CGI and see what happens" is that the HTTP request is initiated by someone else's browser and takes advantage of an open session that the victim has on the target web site.

In the case of News Fight it probably just pulls down an image from Digg, but the same technique can make your browser pass variables to a backend script on an arbitrary website you are logged in to for some nefarious purpose.

The situation of Digg is more interesting because CSRF is a useful feature for that site. Ever seen those "Digg This" links on some blogs? It's nice to be able to click a button on the blog and automatically Digg the story from there.

Links for more information on CSRF:

• CSRF: The Sleeping Giant - Explains the types of problems that can be caused by CSRF.
• CSRF Demystified - An excellent description of CSRF with defense techniques.
• Preparing for CSRF Defense (PDF) - A 5-page paper with a few tips for forensics investigations, which can be hampered by CSRF
• When good XSRF defense turns bad - How not to defend against CSRF.
• In case you are a web developer and thinking "just check the HTTP referrer": HTTP referrers can be forged