|
Posted by "bruce" on 09/22/05 02:46
chris..
thanks for the replies... i think i understand what you're stating.. but i'm still confused as to why my app/server would allow a GET/POST piece of data that would/should be originating from a form on my site to come from a 3rd party/external site/app? i would have assumed that there are relatively easy/straight-forward methods to resolve this.
are you saying that my assumptions are wrong? i would have thought that it would have been simple to only accept 'data' or to restrict 'data' to forms/apps that are resident on my server/environment...
comments/thoughts....
-bruce
-----Original Message-----
From: Chris Shiflett [mailto:shiflett@php.net]
Sent: Wednesday, September 21, 2005 4:16 PM
To: bedouglas@earthlink.net
Cc: 'Jasper Bryant-Greene'; 'PHP Mailing Lists'
Subject: Re: [PHP] security/sql issues with php
bruce wrote:
> i just read an article that described how someone could have a url of
> 'http://foo.com/....' and have the URL in an <img> in their website.
> the website could be cat.com. the article implied that if a user would
> select the img, the link to the foo.com would be initiated, thereby
> fooling the user...
>
> i'm lost. i was under the impression that any interaction between the
> user and foo.com was essentially between the user and 'foo.com'. so that
> even though 'cat.com' may have caused the user to hit the link, the
> communication still occurs between the user and 'foo.com', not 'cat.com'
It sounds like you read an article about CSRF, cross-site request
forgeries. This is a bit difficult to explain, and it's a vulnerability
that exists in almost every PHP application I've audited.
CSRF describes any attack that causes a victim to send a request of the
attacker's choosing. In other words, a victim might send a request to
http://books.example.org/ without knowing it and without actually
visiting a web page at http://books.example.org/.
Using an img tag is just one type of attack - it's the most common, but
only because it's the easiest.
I gave a talk recently that was a hands-on demonstration of a handful of
common attacks, and CSRF was one:
http://brainbulb.com/talks/php-security-by-example.pdf
You can get the code for the exercises here:
http://brainbulb.com/phpworks.tar.gz
The second exercise is devoted to CSRF, and your first task is to
exploit the vulnerability. I think exploiting vulnerabilities is a
pretty good way to get a better understanding of them. Unfortunately,
viewing the slides of a talk is much less helpful than the talk itself,
but maybe there's enough there for you to understand the attack.
Hope that helps.
Chris
--
Chris Shiflett
Brain Bulb, The PHP Consultancy
http://brainbulb.com/
[Back to original message]
|