[Owasp-leaders] CSRF

Christian Papathanasiou christian.papathanasiou at owasp.org
Wed May 29 21:56:28 UTC 2013


Hey Eoin, strictly strictly speaking no- technically speaking yes I think.. 

As per our OWASP definition
"CSRF is an attack which forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated. " ... 
Im the attack I mention the user is not 'currently authenticated' until they find a working user pass at which point they are offered an authenticated session id and can access post auth functionality. 
How I imagine attack happening is as follows:
<img src=http://server/?login&userid=user1&pass=pass1>
Immediately followed by eg a second (traditional) CSRF vector
Think something like
<img src=http://server/?action=transfer&acctfrom=users&acctto=attackers&amnt=monetary_amnt>
Loop both of those img tags for all potential wordlist username,password pairs dished out from an attacker controlled website. Theoretically one <img tag csrf pair will eventually be successful. 
"A successful CSRF exploit can compromise end user data and operation in case of normal user. If the targeted end user is the administrator account, this can compromise the entire web application."
Can compromise end user data in case of normal user; nobody said that that normal user has to be a legitimate user of the system it can be an unwitting victim csrfing another unwitting victim.

That's generally what I had in mind-  your right however  not really traditional vanilla  CSRF but theoretically it would probably achieve the same I think(assuming of course that more traditional CSRF vectors exist post auth as well)

Kind Regards,
Christian

On 29 May 2013, at 21:41, Eoin <eoin.keary at owasp.org> wrote:

> That's not CSRF strictly speaking. There is no session or forgery. But rather turning victims into bots.
> 
> Eoin Keary
> Owasp Global Board
> +353 87 977 2988
> 
> 
> On 29 May 2013, at 15:52, Christian Papathanasiou <christian.papathanasiou at owasp.org> wrote:
> 
>> Absolutely!
>> 
>> Sent from my iPhone
>> 
>> On 29 May 2013, at 15:39, gaz Heyes <gazheyes at gmail.com> wrote:
>> 
>>> Account DOS would work too since you could send a valid username with an incorrect password from lots of IP addresses which might cause an account lockout.
>>> 
>>> 
>>> On 29 May 2013 15:29, Christian Papathanasiou <christian.papathanasiou at owasp.org> wrote:
>>>> Another scenario is:
>>>> 
>>>> Distributed client side login/pass bruteforce :-)
>>>> 
>>>> Once victims connect to attacker controlled server they are dished out hundreds of CSRF vectors such ass
>>>> 
>>>> <img src=http://server/login?username=&user1pass=pass1>
>>>> 
>>>> Username password pairs
>>>> 
>>>> With each subsequent CSRF vector sent  testing for a post authentication function
>>>> 
>>>> Once word list subset exhausted page updates with next set to try
>>>> 
>>>> In essence achieving distributed non attributable brute force (and potentially knock on effects of application layer DoS)
>>>> 
>>>> All theoretically possible I think but have never seen that really done in the wild have any of you? Perhaps something BeEF does in the XSS world?
>>>> 
>>>> Christian
>>>> 
>>>> On 29 May 2013, at 14:46, Giorgio Fedon <giorgio.fedon at owasp.org> wrote:
>>>> 
>>>> > Another scenario is when you need to poison DNS cache. In that case you
>>>> > may need many resolution request from a lot of different ips. And maybe
>>>> > the function that force the dns resolution is in the authenticated area
>>>> >
>>>> >
>>>> > On 05/29/2013 03:19 PM, gaz Heyes wrote:
>>>> >> On 29 May 2013 14:14, Giorgio Fedon <giorgio.fedon at owasp.org
>>>> >> <mailto:giorgio.fedon at owasp.org>> wrote:
>>>> >>
>>>> >>    Incrimination is something that may happen by forcing a user doing
>>>> >>    something illegal.
>>>> >>
>>>> >>
>>>> >> That isn't what I meant. You can assign the IP address of the user to
>>>> >> a specific account that has already performed or about to perform
>>>> >> illegal activity.
>>>> >
>>>> >
>>>> > --
>>>> > | Giorgio Fedon, Owasp Italy
>>>> > |
>>>> > | In Input Validation
>>>> > |            and Output Sanitization,
>>>> > |                                   We Trust
>>>> > --
>>>> > | Web: https://www.owasp.org/index.php/Italy
>>>> > |_____________________________________________.
>>>> >
>>>> > _______________________________________________
>>>> > OWASP-Leaders mailing list
>>>> > OWASP-Leaders at lists.owasp.org
>>>> > https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20130529/323b3b1b/attachment.html>


More information about the OWASP-Leaders mailing list