Cross Origin Header Forging for CSRF Attacks

February 17, 2011 at 11:14 pm | Posted in Article, Computer, computer and high technology, Hacking, news | Leave a comment

Django and ruby on rails just released security updates (here and here) to address an attack that would allow CSRF through forged headers.  Previously these two frameworks provided a CSRF defense for XHR requests that was based on the presence of the X-Requested-With header. The idea was simple, the header was automatically added during normal use of the XHR request by the user and an attacker was unable to spoof or forge a header in the context of a cross domain setting (e.g. CSRF attack).  We discussed this a few months back and the consensus was that this approach was safe.

Apparently that has all changed.  The details are currently very limited (or I just haven’t found them).  This is what is provided at the django and ruby on rails security update pages:

Recently, engineers at Google made members of the Ruby on Rails development team aware of a combination of browser plugins and redirects which can allow an attacker to provide custom HTTP headers on a request to any website. This can allow a forged request to appear to be an AJAX request, thereby defeating CSRF protection which trusts the same-origin nature of AJAX requests.

Michael Koziarski of the Rails team brought this to our attention, and we were able to produce a proof-of-concept demonstrating the same vulnerability in Django’s CSRF handling.

I’m very curious to find out more. Is a proof of concept available? What browser plugins are required for this attack? The potential exposure must be large because both frameworks have released a “backwards-incompatible” patch.

This is technically backwards-incompatible, but the security risks have been judged to outweigh the compatibility concerns in this case.

original article here



Leave a Comment »

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

Entries and comments feeds.

%d bloggers like this: