Hello All,
I am working on securing an application that uses CDSSO (Cross Domain
Single Sign On).
I am trying to reproduce the CSRF (Cross Site Request Forgery) attack
(using img/ TAG) in I.E. 6.01, but am unable to do so. However the
attack works on Mozilla and other older browsers.
My
[snip]
I am working on securing an application that uses CDSSO (Cross Domain
Single Sign On).
I am trying to reproduce the CSRF (Cross Site Request Forgery) attack
(using img/ TAG) in I.E. 6.01, but am unable to do so. However the
attack works on Mozilla and other older browsers.
My
PROTECTED]
Sent: Monday, August 16, 2004 10:57 AM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED];
[EMAIL PROTECTED]
Subject: RE: [PHP] CSRF attack not possible in I.E. 6.01 SP1?
[snip]
I am working on securing an application that uses CDSSO (Cross Domain
Single Sign On).
I am trying to reproduce the CSRF
[snip]
Perhaps the question could be asked another way and be more on topic.
Is there a fix in I.E. 6.01 that would interfere with PHP being able to
generate different mime types on the fly, like .png or .jpg
[/snip]
a. But that wasn't what he asked.
2. Top-posting === bad
--
PHP General
--- Jay Blanchard [EMAIL PROTECTED] wrote:
You would have to ask the Microsoft Development Group, who
probably does not subscribe to this list. Crossposting is bad.
Being OT during a crosspost is even worse. I can hear the
falmethrowers warming up in the wings.
FYI - This is (or use to be)
Jay Blanchard wrote:
FYI - This is (or use to be) a PHP list
If I have a web server running php, how do I change the oil in my car?
--
John C. Nichel
ÜberGeek
KegWorks.com
716.856.9675
[EMAIL PROTECTED]
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit:
--- [EMAIL PROTECTED] wrote:
My question: Is I.E. 6.01 SP1 doing something to foil the CSRF
attack, i.e. only allow image extensions .gif .png .jpeg?
This seems highly unlikely. Can you show us the code you're using to test?
Chris
=
Chris Shiflett - http://shiflett.org/
PHP Security
--- Jay Blanchard [EMAIL PROTECTED] wrote:
[snip]
Perhaps the question could be asked another way and be more on
topic.
Is there a fix in I.E. 6.01 that would interfere with PHP being
able to generate different mime types on the fly, like .png or
.jpg
[/snip]
a. But that wasn't
]
To
Jay Blanchard [EMAIL PROTECTED],
[EMAIL PROTECTED], [EMAIL PROTECTED],
[EMAIL PROTECTED]
cc
Subject
RE: [PHP] CSRF attack not possible in I.E. 6.01 SP1?
--- Jay Blanchard [EMAIL PROTECTED] wrote:
You would have to ask the Microsoft Development Group, who
probably does not subscribe
[snip]
Yup I think my posting is very on-topic. The application that
I am working on is written in PHP.
[/snip]
Thanks for stating that in your original post.
downloads.seagate.com
Chris Shiflett [EMAIL PROTECTED]
No Phone Info Available
08/16/2004 11:24 AM
Please respond to
[EMAIL PROTECTED]
To
[EMAIL PROTECTED], [EMAIL PROTECTED],
[EMAIL PROTECTED]
cc
Subject
Re: [PHP] CSRF attack not possible in I.E. 6.01 SP1?
--- [EMAIL PROTECTED] wrote:
My question
--- [EMAIL PROTECTED] wrote:
And I m sure all PHP developers check their applications for
CSRF vulnerability, in various browsers (including I.E. ).
I speak about CSRF in many of the talks I give, and I think you'd be
surprised by how many people haven't even heard of it.
As a PHP/Java
--- [EMAIL PROTECTED] wrote:
I can't share the exact code ;) , but here is something very
similar:
img src=http://slashdot.org/my/logout; height=1 width=1
If I load a web page with the above code, it should log me out
of slashdot. It works in Mozilla (and netscape), but not in I.E.
6.01
-Original Message-
Jay Blanchard wrote:
FYI - This is (or use to be) a PHP list
If I have a web server running php, how do I change the oil in my car?
Have you tried the OilChange class from PHPClasses.org? ;)
-Ed
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe,
What if you add a random seed to the URL?
img src=http://slashdot.org/my/logout?fluff=?php echo rand(1,200);?
height=1 width=1
-Original Message-
Hello Chris,
I can't share the exact code ;) , but here is something very similar:
img src=http://slashdot.org/my/logout; height=1
-Original Message-
The best information would be if you can capture the exact HTTP
transactions involved. For example, using something like ethereal, capture
the request and response for Mozilla, and then do the same for IE 6.01
SP1.
Short of that, you could create a URL
--- Ed Lazor [EMAIL PROTECTED] wrote:
Wouldn't it work to just make the script spit out a mime type
header and a small (1x1) image when it's done to satisfy the
browser's mime type requirements?
Definitely, but most CSRF attacks are meant to spoof a request from the
legitimate user to some Web
-Original Message-
Definitely, but most CSRF attacks are meant to spoof a request from the
legitimate user to some Web site where he/she already has privilege. Thus,
the receiving site is usually as much the victim as the user.
I'm not sure if that makes any sense... :-)
It does =)
16, 2004 9:52 PM
Subject: RE: [PHP] CSRF attack not possible in I.E. 6.01 SP1?
--- [EMAIL PROTECTED] wrote:
And I m sure all PHP developers check their applications for
CSRF vulnerability, in various browsers (including I.E. ).
I speak about CSRF in many of the talks I give, and I think
PROTECTED], [EMAIL PROTECTED]
Subject
Re: [PHP] CSRF attack not possible in I.E. 6.01 SP1?
Why is so important if Internet Explorer allows URLS of images where the
file name is only .jpg, .png, or .gif?
A url can be something like:
http://www.site.com/script.php/image.jpg?logout=true
Internet
]
To
[EMAIL PROTECTED], [EMAIL PROTECTED]
cc
[EMAIL PROTECTED], [EMAIL PROTECTED]
Subject
Re: [PHP] CSRF attack not possible in I.E. 6.01 SP1?
--- [EMAIL PROTECTED] wrote:
I can't share the exact code ;) , but here is something very
similar:
img src=http://slashdot.org/my/logout; height=1
--- Octavian Rasnita [EMAIL PROTECTED] wrote:
Why is so important if Internet Explorer allows URLS of images
where the file name is only .jpg, .png, or .gif?
A url can be something like:
http://www.site.com/script.php/image.jpg?logout=true
This is definitely true, but as I mentionde in a
--- [EMAIL PROTECTED] wrote:
Upon your suggestion, I used a sniffer to sniff traffic for
the web app that I am working on.
To my surprise, the data captured during the sniff for both
browsers was exactly the same.
Can you elaborate or post the exact requests sent from each browser? I'm
: [PHP] CSRF attack not possible in I.E. 6.01 SP1?
* Thus wrote [EMAIL PROTECTED]:
Hello Chris,
I can't share the exact code ;) , but here is something very similar:
img src=http://slashdot.org/my/logout; height=1 width=1
If I load a web page with the above code, it should log me out
* Thus wrote [EMAIL PROTECTED]:
Hello Chris,
I can't share the exact code ;) , but here is something very similar:
img src=http://slashdot.org/my/logout; height=1 width=1
If I load a web page with the above code, it should log me out of
slashdot. It works in Mozilla (and netscape), but
-Original Message-
So now I am completely clueless as to why this particular attacks works in
Mozilla but not in IE.
Could you describe the problem again and give full detail? I think we need
to better model the problem in order to present a more effective solution.
The link below
[EMAIL PROTECTED]
No Phone Info Available
08/16/2004 02:26 PM
To
[EMAIL PROTECTED]
cc
Subject
RE: [PHP] CSRF attack not possible in I.E. 6.01 SP1?
-Original Message-
So now I am completely clueless as to why this particular attacks works
in
Mozilla but not in IE.
Could you describe
--- [EMAIL PROTECTED] wrote:
Hello Curt,
Yes, the /. system depends on cookies to keep the user logged
in.
However a CSRF attack is NOT trying to access a third party
cookie.
The web browser make the same GET request whether it is using
img/ TAG or the user clicking on a link. So in
--- Curt Zirzow [EMAIL PROTECTED] wrote:
I'm not sure how the /. logout system works, but my guess is
that they rely on cookies to do this. Since that is a different
site than from the originating file, those cookies would be
considered third party. I know in IE you can disable third
party
--- Ed Lazor [EMAIL PROTECTED] wrote:
The link below goes to a page I found that describes CSRF a
little differently than what Chris was presenting - to give a
different perspective on things.
http://www.squarefree.com/securitytips/web-developers.html
It doesn't seem to be different,
--- [EMAIL PROTECTED] wrote:
To give some details:
I am unable to re-produce a CSRF attack when the victim is
using a I.E. 6.01 SP1 (all patches applied). However the
attack works in Mozilla and other older browsers.
I can't give you the exact code for attack (for security
reasons), but
I was able to confirm / reproduce what you're experiencing. I was also able
to confirm that toggling IE 6's acceptance of 3rd party cookies changes the
behavior.
Create an HTML on your local machine with the following line:
img src=http://www.atfantasy.com/test/image_status.php;
It'll load an
-Original Message-
However a CSRF attack is NOT trying to access a third party cookie.
The web browser make the same GET request whether it is using img/ TAG
or the user clicking on a link. So in either case the cookies are in the
context of the website to which the cookies belong.
/2004 04:57 PM
To
[EMAIL PROTECTED], [EMAIL PROTECTED]
cc
[EMAIL PROTECTED]
Subject
RE: [PHP] CSRF attack not possible in I.E. 6.01 SP1?
-Original Message-
However a CSRF attack is NOT trying to access a third party cookie.
The web browser make the same GET request whether
34 matches
Mail list logo