Join the God Side, Jesus is Coming…….

Source: TheRegister & SecureThoughts

In a disclosure that has implications for the security of e-commerce and Web 2.0 sites everywhere, a researcher has perfected a technique for stealing unique identifiers used to prevent unauthorized access to email accounts and other private resources.

Websites typically append a random sequence of characters to URLs after a user has entered a correct password. The token is designed to prevent CSRF (cross-site request forgery) attacks, which trick websites into executing unauthorized commands by exploiting the trust they have for a given user’s browser. The token is generally unique for each user, preventing an attacker from using CSRF attacks to rifle through a victim’s account simply by sending a generic URL to a website.

Now, a researcher who goes by the name Inferno has come up with a way to guess CRSF tokens using brute forcing techniques by combining it with a much older attack. As researchers have pointed out for years, it’s trivial for website owners to steal a complete copy of most people’s recent browsing history using what’s known as CSS history hacking. By checking each visitor for a long list of possible tokens belonging to highly desirable websites (think Gmail, eBay, and the like), an unscrupulous webmaster can determine a CSRF token with minimal fuss.

Some tips to protect your session from CSRF vulnerability are:

  • Client-Side Solution (for your customers/users):
  1. Use a browser plugin such as SafeHistory, which defends against visited-link-based tracking techniques.
  2. Use the private browsing mode in your browser.
  • Server-Side Solution (for developers):
  1. Make your CSRF tokens long enough (8 or more chars) to be unfeasible for a CLIENT SIDE attack. The ever-increasing processing power will make this attack feasible for longer tokens as well.
  2. Store your CSRF token as part of hidden form field, rather than putting in url.
  3. Use a different random token for every form submission and not accept any obsolete token, even for the same session.
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Tag Cloud

%d bloggers like this: