CSRF Is A Vulnerability In All Browsers

¹Ò³¤:
#1 CSRF Is A Vulnerability In All Browsers - You MUST ÈÝÄꤹ¤ë It ASAP.
#2 ºÇ¹â¤Î¡¤¤ò±Û¤¹ secret(will be published on April 1)
#3 Another Rails ÌäÂ꡿ȯ¹Ô¤¹¤ë(April 2-3)
#4 The Webkit ·ê¤ò³«¤±¤ë(April 2-4)

It took me a long time to understand the point behind CSR (cross-¾ì½ê¡¿°ÌÃÖ requests) and CRSF fully enough to find them EXTREMELY malicious.
¤Ë°ú¤­Â³¤¤¤Æ points should be made before any explanation.

• It is °æ¸Í¡¿ÊÛ¸î»ÎÀÊ known attack(yep, just like ½¸¤Þ¤ê assignment). It's known but not °æ¸Í¡¿ÊÛ¸î»ÎÀÊ. You won't find any ¤Ë¤Ä¤¤¤Æ¸ÀµÚ¤¹¤ë of CSRF in Ä´½ñ¤ò¤È¤ë¡¿Í½Ì󤹤ës for beginners a la "PHP in 24 hours" or "HTML/CSS for ÌϤ¤Î". Underestimated Æù¿Æ¡¤¿ÆÎàd of attack.
• It is neither bug in OS nor in browser nor in the servers' Ä´À°s. Linux/Mac/Windows, Chrome/Firefox/IE - it just doesn't »öÊÁ! This is just an ¿äÄꤹ¤ë¡¿Í½ÁÛ¤¹¤ëd ¹Ô°Ù. And it ºîÉÊ like it supposed to. Funny, isn't it? Known since 2001 but not ľ¤¹¡¿Çã¼ý¤¹¤ë¡¤È¬É´Ä¹¤ò¤¹¤ëd yet. Íø±×¡¿¶½Ì£d? Keep reading.
• HTTPS? Would not help. SSL has nothing to do with this attack.
• Short ³«²ñ¡¿³«Äî¡¿²ñ´üs? Sounds nice, but there are always a few ways to ask/·³Ââ »ÈÍÑ¼Ô to Ä´°õ¤¹¤ë in and than script can attack. We are human, it's not so difficult to cheat on us. And, short ³«²ñ¡¿³«Äî¡¿²ñ´üs are rare, most ¾ì½ê¡¿°ÌÃÖs with a "remember me" button do not rely on short ³«²ñ¡¿³«Äî¡¿²ñ´üs.
• Special plugins/³ÈÄ¥s to be °ÂÁ´¤Ê¡¦Êݾڤ¹¤ë(e.g. https://www.requestpolicy.com/). Who uses them?! O_o Almost nobody.
• Êݸî on server-Ì£Êý¤¹¤ë. Rails 3 ÏÈÁÈ¤ß has it out-of-box - using authenticity_token helps. By the way Rails is the most °ÂÁ´¤Ê¡¦Êݾڤ¹¤ë ÏÈÁÈ¤ß I've ever seen.(sic!) ½¸¤Þ¤ê assignment is "vulnerability" in the documentation and developers are in ¹ðȯ¡Ê¤¹¤ë¡Ë¡¤¹ðÁʡʤ¹¤ë¡Ë¡¿ÎÁ¶â; but not in rails. At the same time to have Êݸî with other langs/ÃÅ¡¦¹ËÎΡ¦¸øÌós(PHP, Java, Asp.ÂáÊ᤹¤ë) you have to Îá¾õ ~10-50 Éղà lines of code. IMO(and *these »öÎã¡¿´µ¼Ôs* ¾ÚÌÀ¤¹¤ë it) 90% of developers just don't care and don't spend time on that. That's a ÊúÍʤ¹¤ë ·ê¤ò³«¤±¤ë, Ê¿°×¤Ê to find and Ê¿°×¤Ê to use.

The backbone.

There is site1.com. It could be anything: blog, social ÌÖ¾õÁÈ¿¥ like facebook/twitter/google+ or even »Ùʧ¤¤¡Ê³Û¡Ë system. You have an account on this ¾ì½ê¡¿°ÌÃÖ.
1. You are remembered with cookies µ¡³£ÁõÃÖ.
2. ¾ì½ê¡¿°ÌÃÖ has short ³«²ñ¡¿³«Äî¡¿²ñ´üs. Hacker asks you to Ä´°õ¤¹¤ë in anyhow. E.g. the ´ú¡¤¿·Ê¹°ìÌ̥ȥåפÎÂ縫½Ð¤·¡¿Â硹Ū¤ËÊóÆ»¤¹¤ë "you won 1 dollar for visiting this page, check your %»Ùʧ¤¤¡Ê³Û¡Ë _system%!" and in a few seconds after you Ä´°õ¤¹¤ëd in hacker's page ²ò¸Û¤¹¤ë¡¿Ë¤²Ð¡¿¼Í·âs up the malicious script.

So, you are Ä´°õ¤¹¤ëd in.

You visit ¾ì½ê¡¿°ÌÃÖ site2.com(with funny pictures, ²òÊü¤¹¤ë¡¿¼«Í³¤Ê mp3 or pr0n). No »öÊÁ how you got there - let's assume friend gave you the link.
That ¾ì½ê¡¿°ÌÃÖ sells "iframe traffic"(or just ´Þ¤à¡¿Éõ¤¸¹þ¤á¤ës malicious code itself). It means that funny ¾ì½ê¡¿°ÌÃÖ uses your browser(and your accounts on all ¾ì½ê¡¿°ÌÃÖs where you are logged in!!).  You know nothing and notice nothing. Hidden iframe Ééôs malicious Javascript which ¿ë¹Ô¤¹¤ë¡¿È¯¸ú¤µ¤»¤ës POST(or GET/DELETE/PATCH etc - all HTTP Verbs are supported) by submitting À¸À®¤¹¤ëd <form> with ÌÀ³Î¤Ê¡¿ºÙÉô params. Form's ³èÆ°¡¿ÀïÆ® points to site1.com/someaction, form's Ū - »Ø̾¤¹¤ë of another hidden iframe. Then, code ²ò¸Û¤¹¤ë¡¿Ë¤²Ð¡¿¼Í·âs up formObject.Éþ½¾¤µ¤»¤ë¡¿Äó½Ð¤¹¤ë(). It is ¼êÆ°¼°¤Î form submitting.
What has happened? "You"(in fact "your browser") just sent request to site1.com/someaction with all needed cookies(browser Âç¡Ê¸ø¡Ë»È´Û°÷d them automatically) with (definitely malicious) params - for example "spam blog ÃÏ°Ì¡¤Ç¤Ì¿¤¹¤ë", "start ¤Ë°ú¤­Â³¤¤¤Æ another spam account" or even data for ¿È¤ò°ú¤¯ing money to hacker's bank account(sic!) - anything.
Server Ì£Êý¤¹¤ë has no idea that you are not "you" - it looks the same. And »ÈÍÑ¡¿Å¬ÍÑ ¿ë¹Ô¤¹¤ë¡¿È¯¸ú¤µ¤»¤ës your request just like it was you who made a request. You didn't notice anything.

One day you will, for example, check ̾Êí¡Ê¤ËºÜ¤»¤ë¡Ë¡¿É½¡Ê¤Ë¤¢¤²¤ë¡Ë of your ¤Ë°ú¤­Â³¤¤¤Æs and find there unknown strange accounts »Ø̾¤¹¤ëd like "viagra_buy_online_ca" or "celitra_no_prescription" lol. Or find out that few days ago you tweeted "Earn 10 Dollars Per Second ºÇ¹â¤Î Technique Blah Blah link.com/referal". (sent not ·Ðͳ¤Ç twitter.com but ǧ²Ä¤¹¤ëd apps like ¹¶·â¤ò¼õ¤±¤ä¤¹¤¤ YFrog)

ͽËÉ.
It is the ¤¢¤ê¤Õ¤ì¤¿ »öÎã¡¿´µ¼Ô ½Ò¤Ù¤ëd above. Of course ¾ì½ê¡¿°ÌÃÖs like google, twitter, facebook etc most likely are Êݸ¤ëd from this attack. But not necessary! Êݸî Í׵᤹¤ës Éղà À®²Ì¡¿ÅØÎÏs - this is why so many websites are CSRF-¹¶·â¤ò¼õ¤±¤ä¤¹¤¤.

I so much enjoy the ¤Ë°ú¤­Â³¤¤¤Æ °úÍѤ¹¤ë from the previous shit Íò¡¿½±·â¤¹¤ë:

Insecure-by-default means "insecure"

Àµ³Î¤Ë¡¿¤Þ¤µ¤Ë, the same thing here. By default your app is insecure.

If your apps ¾ÃÈñ¤¹¤ë requests w/o Ω¾Ú¤¹¤ëing authenticity µ­Ç°ÉÊ for each POST/GET/... request - you are ¹¶·â¤ò¼õ¤±¤ä¤¹¤¤. For each, every time.
Yeah, you can check 'referer' every time but it ȼ¤¦¡¿´Ø¤ï¤ës Éղà regexp/»ÙÇÛ¤¹¤ës and looks so lame to me, this is not a panacea at all.

What do I ¼¨º¶¤¹¤ë.
A ÂŶ¨. We cannot ÈÝÄꤹ¤ë the technique ¸¢Íø away for a lot of ¿äÏÀ¤¹¤ë¡¿Íýͳs - backwards compatibility, most ¹­¹ðs and analytics engines use it - ÈÝÄê will break ¥È¥ós of code in the internet, and ¤¤¤Ä¤«s it's really useful and needed thing etc.

Look at the pictures:

These are default ºÇ¹â¤Î¡¤¤ò±Û¤¹ ˸¤²¤ë¡¿Ë¡ÄÊÛ¸î»Î¶Ès in chrome and firefox for some ³èÆ°¡¿ÀïÆ®s that could ÀøºßŪ¤Ë be malicious. I ¼¨º¶¤¹¤ë to make a Îà»÷¤Î one e.g.:

*This page %hackersite.com% Éþ½¾¤µ¤»¤ë¡¿Äó½Ð¤¹¤ës data to an ³°Éô¤Î »ñ¸» %paymentsystem.com%! What to do?*
[button ¼õÂ÷¤¹¤ë]
[button µñÀ䤹¤ë¡¿Äã²¼¤¹¤ë]
[check box - Äɲ乤ë the »ñ¸» domain to whitelist(for stats and ¹­¹ðs)]

But it should be ÈÝÄꤹ¤ëd by default and request should be sent only if »ÈÍÑ¼Ô ¼õÂ÷¤¹¤ës it.

Again, Æù¿Æ¡¤¿ÆÎàd of ·ëÏÀ: CSRF is not a vulnerability in apps. It is a HUGE HOLE in browsers. And this damn ·ê¤ò³«¤±¤ë makes us, developers, to invent wheel such stupid things like csrfmiddlewaretoken compulsory IN EVERY REQUEST. Imagine milliards of HTTP requests and each ´Þ¤à¡¿Éõ¤¸¹þ¤á¤ës sort of  "9f38ada5f4e2c62ca8550071c2c44a0796be8c40" thing + ¥È¥ós of checks cookie[µ­Ç°ÉÊ]=params[µ­Ç°ÉÊ]. What a fail?! It's you ¿¦¶È, dear browser, to °·¤¦ requests and SameOriginPolicy stuff. What a workaround?! Are you kidding us, honey?

We(browsers+developers+w3c etc) must find the best ²òÅú of the ÌäÂ꡿ȯ¹Ô¤¹¤ë and ľ¤¹¡¿Çã¼ý¤¹¤ë¡¤È¬É´Ä¹¤ò¤¹¤ë it. ¾µÇ§¤¹¤ë, I know in before you won't listen to the speech. Words don't change the way how web browsers work. *Here are ³èÆ°¡¿ÀïÆ®s*.

This change will ·àŪ¤Ê make the Internet 80%(And this is not a ̵ºî°Ù¤Î number but pretty real ¥Ñ¡¼¥»¥ó¥È of "¹¶·â¤ò¼õ¤±¤ä¤¹¤¤" ¾ì½ê¡¿°ÌÃÖs) more °ÂÁ´¤Ê¡¦Êݾڤ¹¤ë and °ÂÁ´¤Ê! Let's solve the ÌäÂ꡿ȯ¹Ô¤¹¤ë once and for all ASAP.

¸ÀµÚ¡¿´ØÏ¢s:
http://www.codinghorror.com/blog/2008/10/˸¤²¤ëing-csrf-and-xsrf-attacks.html - in 2008 youtube had no Êݸî at all. Do you still think it's newbies' mistake? Jeff Antwood SHOUTED about CSRF. What has changed since 2008? Nothing. Youtube is °ÂÁ´¤Ê but thousands of new startups aren't.
https://github.com/rails/rails/blob/master/actionpack/lib/action_controller/metal/request_forgery_protection.rb - that's how rails rockstars got rid of the ÌäÂ꡿ȯ¹Ô¤¹¤ë by default.
https://¥Þ¥¹¥³¥ß.blackhat.com/bh-eu-12/shah/bh-eu-12-Shah_HTML5_Top_10-Slides.pdf - slides from ºÇ¶á¤Î ¹õ¿Í¡¿¥Ü¥¤¥³¥Ã¥È hat conf
http://pentestmonkey.ÂáÊ᤹¤ë/blog/csrf-xml-ÃÏ°Ì¡¤Ç¤Ì¿¤¹¤ë-request - don't rely on custom Request Payload. The same thing with json's payloads.
https://www.owasp.org/º÷°ú.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet#Checking_Referer_Header - RTFM

tbc

P.S. the first ÃÏ°Ì¡¤Ç¤Ì¿¤¹¤ë ´Þ¤à¡¿Éõ¤¸¹þ¤á¤ës only theory. Please, stay tuned until April 1 and you will get lulz info