Cross Origin Header Forging for CSRF AttacksFebruary 17, 2011 at 11:14 pm | Posted in Article, Computer, computer and high technology, Hacking, news | Leave a comment
Django and ruby on rails just released security updates (here and here) to address an attack that would allow CSRF through forged headers. Previously these two frameworks provided a CSRF defense for XHR requests that was based on the presence of the X-Requested-With header. The idea was simple, the header was automatically added during normal use of the XHR request by the user and an attacker was unable to spoof or forge a header in the context of a cross domain setting (e.g. CSRF attack). We discussed this a few months back and the consensus was that this approach was safe.
Apparently that has all changed. The details are currently very limited (or I just haven’t found them). This is what is provided at the django and ruby on rails security update pages:
Recently, engineers at Google made members of the Ruby on Rails development team aware of a combination of browser plugins and redirects which can allow an attacker to provide custom HTTP headers on a request to any website. This can allow a forged request to appear to be an AJAX request, thereby defeating CSRF protection which trusts the same-origin nature of AJAX requests.
Michael Koziarski of the Rails team brought this to our attention, and we were able to produce a proof-of-concept demonstrating the same vulnerability in Django’s CSRF handling.
I’m very curious to find out more. Is a proof of concept available? What browser plugins are required for this attack? The potential exposure must be large because both frameworks have released a “backwards-incompatible” patch.
This is technically backwards-incompatible, but the security risks have been judged to outweigh the compatibility concerns in this case.
original article here