Protection from cross-site request forgery attacks beaten
A new technique shows how attackers can get round security measures intended to prevent Cross-Site Request Forgery (CSRF) attacks. CSRF, aka session riding, attacks involve websites changing things such as router configuration or blog content by using special embedded links. This generally requires the user both to be logged into the website on which the attack is to be made and to have the nefarious website open in the browser at the same time.
Tokens consisting of a single use random number, which are transferred between the server and client as part of the URL, are meant to protect against this kind of attack. Attackers cannot usually predict these tokens, with the result that their crafted links no longer work.
A security specialist that goes by the pseudonym Inferno has published details of how it's possible to obtain valid tokens, to allow successful CRSF attacks to be carried out, by using a brute force attack on the client. The method utilises a three-year old technique for reading the browser history via CSS.
Previously clicked links are displayed in the browser in a different colour to links to pages which have not yet been visited. The different colours are produced by a change in the style sheet for the HTML file, which the browser stores as an attribute in its history. By calling a long list of potential websites, it's possible to test the colour scheme for the style sheet and work out which websites have been visited.
However, the tokens used to protect against CSRF attacks are usually much longer than this, meaning that, at present, finding tokens using this method would still be too time-consuming. Inferno recommends making tokens at least 8 characters in length and storing tokens in a hidden form field rather than the URL. Plug-ins such as SafeHistory for Firefox and the browser's special incognito mode also prevent websites from sniffing around the browser history.
- Attackers able to read out list of visited web pages, a report from The H.