Dark Reading published a very interesting article last week "Killer Combo: XSS + CSRF". It describes a presentation given last week at Black Hat Europe by Billy Rios and Raghav Dube of Ernst and Young's advanced security center. The presenters' goal was to explain the high level of threat from combining a cross site scripting attack (XSS) with a cross-site request forgery (CSRF).
The article gives two examples:
"In the first attack, the researchers show how to take over a user's account via XSS and use that browser to attack another Website. In the demo, the user first visits a social networking/blogging site, which is easier to get XSS-infected due to the ability to upload content, post messages/comments, etc. But the attacker's real target is a large credit union site. It works like this: Once the user falls victim to the XSS exploit on the social networking site, XSS is used to take over the victim's browser, Rios says."
""In the grand scheme, we don't actually care about the social networking site," he says. The attack then uses CSRF to link between the social networking site and the credit union site, he says. "Once we control the victim's session with the social networking site, we can force and control a session between the browser and the credit union site.""
"From there, the attacker can attack the credit union site. "We will go into techniques for attacking the credit union, but it's actually the victim that is doing it" unknowingly with their browser, he says. And the victim would have little or no clue the attack was underway, Rios adds. The advantage of combining XSS and CSRF here is that it lets the browser move to different Web domains, not just a single one."
"The second attack demo shows how XSS and CSRF can be used to do damage to an internal corporate network. "Because we're using the victim's browser to do these attacks, we can take advantage of all the privileges and trust established by their browser," Rios says. "Because it's inside the corporate LAN, we can drive it to attack other machines inside the firewall. The age-old moat-around-the-internal-net model is basically thrown out the door because our staging point is inside the internal net.""
"The victim's browser then attacks a network management system on his internal network. CSRF is then able to get information on the internal network. And if the attack is caught or traced back, it's on the victimized user's doorstep. "If they kick down the victim's door, the evidence is on that machine. It was [his] browser that did the attack," and he didn't even know it, Rios says."
"And XSS lets CSRF work more two-way instead of just one way: "CSRF alone is a one-way deal," Rios says. "You do the attack and hope it executed. The only way to verify it is through a secondary channel. With XSS, you can verify the CSRF went through, and you get instant feedback.""
"The demos show targeted attacks on a specific user, but Rios says it would be easy to automate it across multiple users. "We're trying to show that this doesn't require that much sophistication to exploit.""
This type of attack will definitely grow over the coming year. Enterprises beware! This is another attack vector to obtain identity, authentication and valuable enterprise information as well as fraudulently obtain money, services and products.
Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com
del.icio.us