Looking for our research? We've moved it to a dedicated page
Research Academy
My account Customers About Blog Careers Legal Contact Resellers

On-site request forgery

Dafydd Stuttard | 03 May 2007 at 08:09 UTC
xsrf XSS

Request forgery is a familiar attack payload for exploiting stored XSS vulnerabilities. In the MySpace worm, Samy placed a script within his profile which caused any user viewing the profile to perform various unwitting actions, including adding Samy as a friend and copying his script into their own profile. In many XSS scenarios, when you simply wish to perform a particular action with different privileges, on-site request forgery is easier and more reliable than attempting to hijack a victim’s session.

What is less well appreciated is that stored on-site request forgery bugs can exist when XSS is not possible. Consider a message board application which lets users submit items that are viewed by other users. Messages are submitted using a request like the following:

POST /submit.php
Content-Length: 34

type=question&name=daf&message=foo

which results in the following being added to the messages page:

<tr>
  <td><img src="/images/question.gif"></td>
  <td>daf</td>
  <td>foo</td>
</tr>

In this situation, you would of course test for XSS. However, it turns out that the application is properly HTML-encoding any " < and > characters which it inserts into the page. Having satisfied yourself that this defence cannot be bypassed in any way, you might move on to the next test.

But look again. We control part of the target of the <img> tag. Although we can’t break out of the quoted string, we can modify the URL to cause any user who views our message to make an arbitrary on-site GET request. For example, submitting the following value in the type parameter will cause anyone viewing our message to make a request which attempts to add a new administrative user:

../admin/newUser.php?username=daf2&password=0wned &role=admin#

When an ordinary user is induced to issue our crafted request, it will of course fail. But when an administrator views our message, our backdoor account gets created. We have performed a successful on-site request forgery attack even though XSS is not possible. And of course, the attack will succeed even if administrators take the precaution of disabling JavaScript.

(In the above attack string, note the # character which effectively terminates the URL before the .gif suffix. We could just as easily use & to incorporate the suffix as a further request parameter.) 

xsrf XSS
Dafydd Stuttard

Dafydd Stuttard

@DafyddStuttard

Latest Posts

Burp Suite Enterprise Edition in the Cloud

18 April 2024 Burp Suite Enterprise Edition in the Cloud

What's new with BChecks?

08 February 2024 What's new with BChecks?

Introducing custom scan checks to Burp Suite Enterprise Edition

02 February 2024 Introducing custom scan checks to Burp Suite Enterprise Edition

Related stories

Top web hacking techniques

Frans Rosén crowned for OAuth ‘masterclass’ 10 February 2023 Top web hacking techniques Frans Rosén crowned for OAuth ‘masterclass’

Radio silence from DMS vendor quartet over XSS zero-days

10 February 2023 Radio silence from DMS vendor quartet over XSS zero-days No response or patch yet forthcoming from providers of vulnerable document management systems

Magic quadrant

DOM XSS vulnerability in Gartner Peer Insights widget patched 08 February 2023 Magic quadrant DOM XSS vulnerability in Gartner Peer Insights widget patched

XSS Hunter tool is resurrected with new features

02 February 2023 XSS Hunter tool is resurrected with new features Popular hacking aid now available with CORS misconfig detection function following end-of-life announcement