While agreeing with much of the paper, I feel that there are two mitigating
factors not stronly enough reinforced:
1) Most sites use some form of Session Expiration. The whole of this paper
assumes the when the user is attacked, they are still logged in, and have a
valid session cookie intact. In reality, this attack is only useful while a
user is logged in, and shortly thereafter. Which, while being very plausible
in intranet application, is unlikely in internet applications, except in
focused attacks.
2) Less secure sites often allow for persistent cookie 'auto-login'
features. These sites are particularly vulnerable to this attack. However,
many of these still redirect the user through the login page, then redirect
to a 'start' page, rather than the requested page. This effectively strips
malicious commands. Further, in the case of eBay, which is not so clearly
named in the paper, that DO have an auto-login feature (My eBay), still
require entering a password to bid.
Other than that, this is very plausible attack that I would agree hasn't
received enough attention. I would also add that in the case of the img tag
in the email, an iframe could also be used, similar to recent viruses. It
needn't even be visible.
Regards,
Noah Gray
-----Original Message-----
From: Thomas Schreiber
To: webappsec@securityfocus.com
Sent: 12/15/04 8:13 PM
Subject: Whitepaper "SESSION RIDING - A Widespread Vulnerability in Today's
Web Applications"
Hello,
I would like to point you to a whitepaper just released:
SESSION RIDING - A Widespread Vulnerability in Today's Web Applications
http://www.securenet.de/papers/Session_Riding.pdf
----------
Abstract:
In this paper we describe an issue that was raised in 2001 under the
name of Cross-Site Request Forgeries (CSRF). It seems, though, that it
has been neglected by the community, as it is not part of recent Web
Application Security discussions, nor is it mentioned in OWASP's Top Ten
or the like. After having frequently observed this vulnerability in our
Web Application Security assessments of custom Web applications, we
started to examine various public Web applications and other
browser-based applications:
- popular (commercial) Web sites
- popular browser-based console applications such as
administration tools for databases, servers, etc.
- browser-based administration clients of hardware devices
- webmail sites and open source and commercial webmail solutions
We have found out that this vulnerability is present in many of those
sites, services and products, some of which perform sensitive tasks.
Actually, the list of affected companies contains well-known big
players. Our analysis has led us to the conclusion that this
vulnerability is the most widespread one in today's Web applications
right after Cross-Site Scripting (XSS). Even worse, in some scenarios it
has to be considered much more dangerous than XSS.
We feel that a concise description of this issue is necessary, along
with a description of scenarios that highlight the danger to all
browser-based applications that do not provide appropriate
countermeasures, be it Intranet, Internet or console applications. In
this paper, we explain this vulnerability in depth, show that it may be
used unnoticed by the victim, describe potential threats, and finally
give hints on how to make Web applications safe from such attacks.
We prefer to call this issue Session Riding which more figuratively
illustrates what is going on.
----------
Feedback is very welcome - especially regarding our rating/experience as
one of the most widespread vulnerabilities today.
Thomas Schreiber
____________________________________________________________
SecureNet GmbH - http://www.securenet.de
+49 89/32133-610
mailto:ts@securenet.de
