Thursday, August 13, 2009

Basic Cross-site request forgery


Share/Bookmark

Now, I'm woking with a new framework. It's a new one, so that I think it's not secured.
Assume that I'm a customer and after use this source code, if I find out any bug... what will happen if I want to be a 'bad man' not 'bat man' :))


After analyze I have an action in administrator panel.
Example, when working with customer module:

"http://our_local_server/administrator/index.php?module=loadajax&action=deleteall&table=user&fprimary=id&cond=0,%276%27&fname=etc"

Consider the bold text :

When I call this url, system will 'delete' all the item include in condition value %27 means ' label (0,'6'). The result is the item with id=6 will be deleted from database.

Ok, now I compose an email html like :

<@body>
You won $1,000,000

<@iframe src="http://our_local_server/administrator/index.php?page=loadajax&action=deleteall&table=user&fprimary=id&cond=0,%276%27&fname=etc" width="0" height="0">
<@/body>


Will you read it???
I wont. But it's only example ^^.
Send it to the administrator of site when him/her logged in.
I dont need to login or something else with this system.
The administrator will do it for me because he/she have authiencation.
Imagine if I call an url in a loop :
for($i=0;$i<=999999;++$i) { //call the action url here }

What will happen :D

Solution: Assign a token value for any action.
Example:
index.php?page=loadajax&action=deleteall&table=user&fprimary=id&cond=0,%276%27&fname=etc&token=10d3612ccee6f20d650288855624f9ad


And check this token before execute any action.