CSRF:layann
December 27th, 2007 | by tk2 |David Airey has lost his domain after his Gmail account was hacked by a hacker. The hacker used CSRF(Cross-site request forgery) to take down his Gmail account and you know what happens next. You might be asking yourself;
What the hell is CSRF anyway?
Wiki’s definition (This is might not be noob friendly enough):
Cross-site request forgery, also known as one click attack or session riding and abbreviated as CSRF (Sea-Surf) or XSRF, is a type of malicious exploit of websites. Although this type of attack has similarities to cross-site scripting (XSS), cross-site scripting requires the attacker to inject unauthorized code into a website, while cross-site request forgery merely transmits unauthorized commands from a user the website trusts.
In short the attacker tricks the server into thinking - “I’m the real user transfer me some gold!”.
So here’s a real world example that will give you better understanding about CSRF. This is just an educational purpose so do this at your own risk.
In this example, I will use CSRF to force my blog readers to send me a +1 layaan without their acknowledgement (of course you’re one of them). Layann.com is using ajax for the voting system. If you fire up live http header in Firefox, you can see the request that your browser sent. In this case, every time I click the layann button, Firefox sends:
POST /digg-it.php did=[digg id]
At layann, you don’t have to login to vote. This will make things so much easier. All we need to do is replicate the request to layann server and it’s done. The most common vector is using the <img tag>.
<img src=”http://www.digg.com.my/digg-it.php?did=1198770667″>
Place the code anywhere you want and every time people load page with that code, you will get +1 layann.
I put it here —>
You can view my layann status here. Nice uh?
In most cases you might need to send multiple requests and it’s not as simple as the example above.
P/S:Sorry Layann crew. I don’t mean to harm your site. Just can’t stop myself playing around.
Tags: CSRF layann Gmail hacked
One Response to “CSRF:layann”
By bitter on Dec 28, 2007 | Reply
Oh i like this post a lot. Very enlightening. And the way you used a real-life web-app to show example. That’s major sweetness! Layann should now hire you as their security officer!