On 18/03/2008, Vishal Garg <vishal@firstbase.co.uk> wrote:
Hi List,
I have tested the following attack in Firefox and it has worked
successfully, while I would not have expected this to work because of
the same origin policy in Firefox. The Firefox version I am using is
2.0.0.12.
http://www.victim.com/webapp/wcs/servlet/ImagePopup?storeId=111&imageName=image1.jpg&imageText=%3Cimg%20src=http://www.attacker.com/images/image2.jpg%3E
Can someone please explain why this attack works in Firefox.
Same origin doesn't apply to <img> tags - you can load images from
anywhere on the net. But, it looks like you are exploiting a XSS to
get your image loaded into a page, rather than a CSRF to GET/POST to a
victim server.
The typical CSRF request would be produce a GET/POST to e.g.
http://victim.com/deletemyprofile.php , but triggered by viewing a
page on http://attacker.com/ - so you don't really have a CSRF attack
here, but does look like XSS. (I think - please feel free to disagree)
cheers,
Jamie
--
Jamie Riden / jamesr@europe.com / jamie@honeynet.org.uk
UK Honeynet Project: http://www.ukhoneynet.org/
-------------------------------------------------------------------------
Sponsored by: Watchfire
Methodologies & Tools for Web Application Security Assessment
With the rapid rise in the number and types of security threats, web
application security assessments should be considered a crucial phase in the
development of any web application. What methodology should be followed? What
tools can accelerate the assessment process? Download this Whitepaper today!
https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
-------------------------------------------------------------------------
