|
Posted by Chris Shiflett on 09/22/05 02:16
bruce wrote:
> i just read an article that described how someone could have a url of
> 'http://foo.com/....' and have the URL in an <img> in their website.
> the website could be cat.com. the article implied that if a user would
> select the img, the link to the foo.com would be initiated, thereby
> fooling the user...
>
> i'm lost. i was under the impression that any interaction between the
> user and foo.com was essentially between the user and 'foo.com'. so that
> even though 'cat.com' may have caused the user to hit the link, the
> communication still occurs between the user and 'foo.com', not 'cat.com'
It sounds like you read an article about CSRF, cross-site request
forgeries. This is a bit difficult to explain, and it's a vulnerability
that exists in almost every PHP application I've audited.
CSRF describes any attack that causes a victim to send a request of the
attacker's choosing. In other words, a victim might send a request to
http://books.example.org/ without knowing it and without actually
visiting a web page at http://books.example.org/.
Using an img tag is just one type of attack - it's the most common, but
only because it's the easiest.
I gave a talk recently that was a hands-on demonstration of a handful of
common attacks, and CSRF was one:
http://brainbulb.com/talks/php-security-by-example.pdf
You can get the code for the exercises here:
http://brainbulb.com/phpworks.tar.gz
The second exercise is devoted to CSRF, and your first task is to
exploit the vulnerability. I think exploiting vulnerabilities is a
pretty good way to get a better understanding of them. Unfortunately,
viewing the slides of a talk is much less helpful than the talk itself,
but maybe there's enough there for you to understand the attack.
Hope that helps.
Chris
--
Chris Shiflett
Brain Bulb, The PHP Consultancy
http://brainbulb.com/
[Back to original message]
|