What if someone could send you a link to their page and in that page it could make you post a form that you can't see. This form could send money from the bank account they are logged into to the attackers account. All they have to do is send them to the right page and with the right parameters sent along it will send the money to the attacker. There are a couple ways of fixing this. The bank could use a token that can only be used once along with other parameters int he form that have different values everytime so the attacker wouldn't know what the names of the hidden fields are without going to the banks website and getting their form. If they could use PHP curl request with the banks sessionid it would be relatively easy to get the form contents and then fill in the right values into it and send the form off to the bank website and they would think it was from them. They would also use curl to not only send the sessionid but also change the referer to say it came from the banks website page where the form is. That page could also be a unique url everytime as well. Then the curl request would need to know what page to download the form. They would go to the page where the user clicks to get the form and it would create the unique url for the form there so the attacker may get the form that way. How does the attacker get the sessionid? They use javascript to somehow run document.cookie on another tab than the one they are on now. If this works then they have the sessionid and can then refresh the page quickly after the js is done getting the sessionid and once it has refreshed the page will run php code to make the curl request to the page where the bank website is. This could be any website that has forms. This is just an example with a bank to show how important it is for websites to secure their sites using some of these techniques or others. Another thing the bank website can do to make it hard to run their form without being on their site is using dynamic named functions in php. Use the create_function function in PHP to make a custom custion that is written alittle bit differently each time in a way that ensures the user is logged in:
http://php.net/manual/en/function.create-function.php
But if the hacker has your sessionid I don't know how this will be good enough.
Here are some interesting pages on the subject:
http://4diggers.blogspot.com/
Here is an article about cross domain ajax and how cross domain ajax could break any web application
http://shiflett.org/blog/2006/aug/cross-domain-ajax-insecurity
No comments:
Post a Comment