Cross-site request forgery (also known as CSRF) is a web security vulnerability that allows an attacker to induce users to perform actions that they do not intend to perform. It allows an attacker to partly circumvent the same origin policy, which is designed to prevent different websites from interfering with each other.
CSRF Vulnerability in Twitter Allows Forced Following
Let's take a step back here. The goal of CSP was to prevent an injected XSS payload from executing. This implies that the application under protection has an XSS vulnerability, which allows an attacker to inject malicious code.
To figure out what we can lock down, let's carefully examine what capabilities the button requires. The HTML that's loaded into the frame executes a bit of JavaScript from Twitter's servers, and generates a popup populated with a tweeting interface when clicked. That interface needs access to Twitter's cookies in order to tie the tweet to the correct account, and needs the ability to submit the tweeting form. That's pretty much it; the frame doesn't need to load any plugins, it doesn't need to navigate the top-level window, or any of a number of other bits of functionality. Since it doesn't need those privileges, let's remove them by sandboxing the frame's content.Sandboxing works on the basis of a whitelist. We begin by removing all permissions possible, and then turn individual capabilities back on by adding specific flags to the sandbox's configuration. For the Twitter widget, we've decided to enable JavaScript, popups, form submission, and twitter.com's cookies. We can do so by adding a sandbox attribute to the iframe with the following value:
Sandboxing can be even more flexible when combined with two other new iframe attributes: srcdoc, and seamless. The former allows you to populate a frame with content without the overhead of an HTTP request, and the latter allows style to flow into the framed content. Both have fairly miserable browser support at the moment (Chrome and WebKit nightlies). but will be an interesting combination in the future. You could, for example, sandbox comments on an article via the following code:
Cross-site scripting (XSS) is a security exploit which allows an attacker to inject into a website malicious client-side code. This code is executed by the victims and lets the attackers bypass access controls and impersonate users. According to the Open Web Application Security Project, XSS was the seventh most common Web app vulnerability in 2017.
SameSite is an attribute on cookies that allows web developers to declare that a cookie should be restricted to a first-party, or same-site, context. The attribute can have any of the following values:
Given that IT security is an ever-changing field, there are always new exploits being discovered. One of my personal favorite CSRF vectors leveraged weaknesses in Flash and an overly-permissive crossdomain.xml policy to perform CSRF on JSON endpoints. There was even a nice tool for exploiting it at _json_csrf, though current browsers have fixed the vulnerability, and Flash support is allegedly going away at the end of 2020. That being said, always be on the lookout for new ways to submit requests to applications, because one never knows when a new potential vector for exploit will be introduced again.
A CSRF vulnerability can give an attacker the ability to force an authenticated, logged-in user to perform an important action without their consent or knowledge. It is the digital equivalent to someone forging the signature of a victim on an important document. It is in fact more effective, because the attacker leaves no trace of evidence behind. This is because the forged request contains all of the information and comes from the same IP address as a real request from the victim. This means that any application that allows a user to send or update data is a possible target for an attacker.
We previously discussed using CORS to secure user data, while allowing some cross-origin access. CORS handles this vulnerability well, and disallows the retrieval and inspection of data from another Origin. Without the cooperation of Mixmax servers, CORS will prevent the third-party JavaScript from reading data out of the image, and will fail AJAX requests with a security error:
However, cross-origin resource sharing (CORS) was introducedin HTML5to allow developers to selectively lift some of the restrictions enforcedby the SOP.For instance, to signal to the browser that another origin,such as ,is allowed to read responses to authenticated requests,api.example.org would respond with the following headers:
A CSRF vulnerability (Cross-Site Request Forgery) is a flaw that allows an attacker to abuse a user, a web browser and a server at the same time. The principle is quite simple. The objective of the attack is to force an authenticated user on a website or web application to perform specific actions without his knowledge. 2ff7e9595c
Comments