Sometimes, like in the OAuth case, a CSRF takes a few seconds to complete. Below is a video of how the sneaky one looks. But it’s relatively sneaky, and we’ve successfully CSRFed the page and taken over their soundcloud account. The original soundcloud oauth ( talked about here) looked something like this with a big ugly popup: īut with adding a popunder, well, it isn’t that exciting. Using this technique, we can exploit the OAuth CSRF much more ninjaly.
Firefox and Chrome explicitly deny this (it was a bug here Blur results in window being lowered and some other window being raised (popunders are possible)). In most browsers this doesn’t work anymore. SetTimeout("soundcloud_addlogin()", 5000) Back in the day, you could just do something like this and it would hide the window. It would be better if when we popped up the window, we hid it. In the OAuth examples I just popped up a window. This is probably the last one (yeah, finally – I’m sick of talking about CSRF too) then I’ll hopefully post the whole talk finally :) Hiding the CSRF with a popunder The 2013BH tag links to all posts related to my recent Blackhat EU talk I gave in March. There are probably a lot of techniques here, but there are two options I explored, using a popunder, and just making the window jump around/hard to close.
How do we CSRF things that have X-Frame-Options enabled so we can’t use frames? We can always open a window, but a big popup isn’t really ideal. With some of the OAuth attacks from the last few posts, the identity providers did all in fact enable x-frame-options. With OAuth, protecting against UI redressing is even in the spec, so just creating a frame to do all your sneaky stuff won’t really work. X-Frame-Options is becoming more and more common.
0 kommentar(er)
