Comments below.
Noah Gray wrote:
While agreeing with much of the paper, I feel that there are two mitigating
factors not stronly enough reinforced:
1) Most sites use some form of Session Expiration. The whole of this paper
assumes the when the user is attacked, they are still logged in, and have a
valid session cookie intact. In reality, this attack is only useful while a
user is logged in, and shortly thereafter. Which, while being very plausible
in intranet application, is unlikely in internet applications, except in
focused attacks.
You are correct, this is why expiration is important.
2) Less secure sites often allow for persistent cookie 'auto-login'
features. These sites are particularly vulnerable to this attack. However,
many of these still redirect the user through the login page, then redirect
to a 'start' page, rather than the requested page. This effectively strips
malicious commands. Further, in the case of eBay, which is not so clearly
named in the paper, that DO have an auto-login feature (My eBay), still
require entering a password to bid.
Yes, however, using a method described in this paper, when attacking
such a site (that does not require a password like ebay, but does
provide login/redirect as you describe). An attacker could simply send
the request twice, with a timeout between the two, the first to initiate
the session, and be redirected, and the second to carry out the wanted
command on the target app.
In the case of ebay, the user could be "phished" into entering their
password (could be done the "natural" way, by allowing the target app to
do this, or could be "enhanced" using javascript and/or XMLHTTP
objects), which mitigates but does not eliminate the risk.
Other than that, this is very plausible attack that I would agree hasn't
received enough attention. I would also add that in the case of the img tag
in the email, an iframe could also be used, similar to recent viruses. It
needn't even be visible.
I agree w/ you completely.
