Researchers Inferno and RSnake separately released their work -- Inferno, a proof-of-concept for finding CSRF defense "tokens" by launching a silent brute-force attack on a client's browser, and RSnake (a.k.a. Robert Hansen), CEO of SecTheory, a new tool that goes after Firefox 3.5's new feature for mashups within Web applications.
Inferno posted a proof-of-concept over the weekend that demonstrates how to grab a CSRF token -- basically a security feature assigned to a user that protects against CSRF attacks -- from a user to wage a CSRF attack. His method goes after the client, based on the so-called XSS History Hack that researcher and WhiteHat Security CTO Jeremiah Grossman revealed three years ago.
"Uptil now, it was considered infeasible for an attacker to discover your CSRF token using Brute Force Attacks on the server," Inferno blogged, mainly because such an attack would be noisy and therefore easily detectable by an intrusion-detection system (IDS) or Web application firewall (WAF). "Many applications are programmed to invalidate your session after it detects more than a certain number of requests with invalid token values."
Inferno's client-side attack generates very little traffic, however, so it goes unnoticed by the IDS and WAF, he says. It brute-force hacks sets of URLs in the browser's history to find the user's CSRF token. Once the attacker has the token, he can bypass CSRF protections.
But "unless I, as an attacker, have your session ID [cookie], I can't figure out what your token is," WhiteHat's Grossman says. "And if I do get your session ID...then, well, you've got bigger problems."
CSRF attacks have been relatively rare, mainly because XSS bugs are so prevalent in Web applications and XSS bugs can be used to get past CSRF defenses, anyway, Grossman says. "So when XSS goes away, these [CSRF] attacks will become more common," he says. "If you can't find an XSS [flaw] on the target Website, this technique is something to put in the toolbox."
But Michael Sutton, vice president of security research at Zscaler, notes this new CSRF hack has its limitations -- namely the number of characters in the token. "While the technique has some value for an attacker, it would have limited application given the restriction that the token be no more than five characters and be included in the URI [uniform resource identifier]," he says. "It is common for such tokens to have a greater length and be passed in cookies or hidden form fields."
RSnake, meanwhile, has built a tool that pokes a hole in Firefox 3.5's cross-origin resource sharing (CORS) feature, which lets your server call other servers for mashing up content, for instance. Mozilla has built defenses into CORS to prevent abuse, such as an opt-in measure, but RSnake says he found a way to work around those defenses. "The server that is going to have information pulled from it has some information that tells the browser it's OK to pull this information and return it to the browser's [domain]," he says.
The XMLHttpRequest ping-sweeping tool can basically point the user's browser back at his or her internal network. The attacker can tell if an intranet site is behind the browser given the time it takes the site to respond, or not. "If I can tell the difference between the time that a page can be contacted and the time a browser times out because the connection can't be reached, it turns into an internal 'ping,'" RSnake says. "And it lets the browser see what machines are live and not live.
But this is only a first step in an intranet attack, RSnake says. "All I can see is a server sitting there " I can't see the pages," he says. "But I now know which servers are there and can do a targeted attack on those IP addresses using the cross-domain address."
Zscaler's Sutton, meanwhile, says this is yet another port-scanning method for an attacker. "There are other hacks which can permit intranet port scanning, such as those using XSS," Zscaler's Sutton says. "This is yet another port-scanning technique for an attacker to add to their toolkit -- although it is fairly limited in scope at this point being restricted to Firefox 3.5."
RSnake says he didn't test the attack on Internet Explorer 8.0's similar feature, XDomainRequest. Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.