XSRF and Identity Misbinding Attacks
aaron posted in Uncategorized on September 25th, 2008
I thought this was kind of a clever chain of attack vectors. I think it illustrates well how you can take multiple smaller security problems, and use the series to exploit something greater (in this case youtube accounts).
In the post Jeremiah links to a good paper that has some other interesting attack vectors. The paper starts with basic XSRF and current remediation strategies, but then goes into some new attacks that cause a victim user to log into a site with the attackers credentials. They outline a couple of scenarios where this could allow them to gather credit cards through PayPal, or credentials for iGoogle. They also poke holes in some of the current remediation strategies and even some of the tools that implement them. Defense against this kind of login XSRF is difficult because it requires maintaining some type of pre-session session/token, so they also have some recommendations for adding a new standard Origin HTTP header which has a number of advantages. It’s good reading, you should go read it if you’re at all interested in web security.