[nycphp-talk] NYPHP cringed at AJAX almost a year ago.... now JS exploit "level 3"
Chris Shiflett
shiflett at php.net
Fri Oct 14 12:19:22 EDT 2005
csnyder wrote:
> Even the random token method that Chris describes can be foiled if
> the attacker is scripting XMLHTTPRequests, because the script can
> request and then POST a valid form, without the user ever knowing it.
Yep, and this is exactly what happened.
This is primarily a CSRF attack, and it uses a XSS vulnerability as a
platform. Apparently Myspace had CSRF protection, but because the XSS
vulnerability allowed the attacker to inject some XMLHttpRequest stuff
into people's profiles, that could be used to first request the form
(victim's token included) and then send the CSRF attack along with the
valid token. The clever part is that the CSRF payload exploited the XSS
vulnerability again, proliferating itself through other people's profiles.
CSRF and XSS have been a deadly combination for years, and I'm hoping
this recent incident helps raise awareness further.
The technical details are interesting, but the personal account is worth
reading just for the laughs:
http://namb.la/popular/
"Oh wait, it's exponential, isn't it. Shit."
Chris
--
Chris Shiflett
Brain Bulb, The PHP Consultancy
http://brainbulb.com/
More information about the talk
mailing list