d********n 发帖数: 54 | 1 http://www.mitbbs.com/article_t/sysop/31207609.html详细解释了病毒原理,不过结论错误。该病毒归根到底还是mitbbs网站有漏洞。
在网络安全领域,这种攻击有个名字,CSRF(Cross-Site Request Forgery) Attacks。
具体原理和解决方案可参考http://www.freedom-to-tinker.com/blog/wzeller/popular-websites-vulnerable-cross-site-request-forgery-attacks
有类似漏洞的网站很多,著名之一就是netflix。在此就不指出具体哪个页面有漏洞了
,免得所有人都去攻击。 |
d********n 发帖数: 54 | 2 http://en.wikipedia.org/wiki/Cross-site_request_forgery清楚详细的解释了CSRF的原理和预防。“Requiring a secret, user-specific token in all form submissions prevents CSRF; the attacker's site can't put the right token in its submissions” |
o*******p 发帖数: 722 | 3 是呀, 老邢自己网站弱怨不得别人.
【在 d********n 的大作中提到】 : http://www.mitbbs.com/article_t/sysop/31207609.html详细解释了病毒原理,不过结论错误。该病毒归根到底还是mitbbs网站有漏洞。 : 在网络安全领域,这种攻击有个名字,CSRF(Cross-Site Request Forgery) Attacks。 : 具体原理和解决方案可参考http://www.freedom-to-tinker.com/blog/wzeller/popular-websites-vulnerable-cross-site-request-forgery-attacks : 有类似漏洞的网站很多,著名之一就是netflix。在此就不指出具体哪个页面有漏洞了 : ,免得所有人都去攻击。
|
g*****g 发帖数: 34805 | 4 你说的这个如果网站是用post,黑客必须引诱你访问他的页面,
这样javascript才能执行。昨天显然不是这样,我猜想mitbbs
不区分get和post才出现了问题。
【在 d********n 的大作中提到】 : http://www.mitbbs.com/article_t/sysop/31207609.html详细解释了病毒原理,不过结论错误。该病毒归根到底还是mitbbs网站有漏洞。 : 在网络安全领域,这种攻击有个名字,CSRF(Cross-Site Request Forgery) Attacks。 : 具体原理和解决方案可参考http://www.freedom-to-tinker.com/blog/wzeller/popular-websites-vulnerable-cross-site-request-forgery-attacks : 有类似漏洞的网站很多,著名之一就是netflix。在此就不指出具体哪个页面有漏洞了 : ,免得所有人都去攻击。
|
k**g 发帖数: 67 | 5 i think this is it. maybe on each page (when performing action), check the
html referrer, if from other sites, stop the action.
【在 d********n 的大作中提到】 : http://www.mitbbs.com/article_t/sysop/31207609.html详细解释了病毒原理,不过结论错误。该病毒归根到底还是mitbbs网站有漏洞。 : 在网络安全领域,这种攻击有个名字,CSRF(Cross-Site Request Forgery) Attacks。 : 具体原理和解决方案可参考http://www.freedom-to-tinker.com/blog/wzeller/popular-websites-vulnerable-cross-site-request-forgery-attacks : 有类似漏洞的网站很多,著名之一就是netflix。在此就不指出具体哪个页面有漏洞了 : ,免得所有人都去攻击。
|
s****n 发帖数: 786 | 6 yes
【在 g*****g 的大作中提到】 : 你说的这个如果网站是用post,黑客必须引诱你访问他的页面, : 这样javascript才能执行。昨天显然不是这样,我猜想mitbbs : 不区分get和post才出现了问题。
|
y*******d 发帖数: 1765 | 7 It's nothing related to get or post.
The problem is for any state change operations, the site has to validate the
user intention. |
y*******d 发帖数: 1765 | 8 上面有人提到了referrer的解决方案
本质上referrer在这里就是作为static canary的
不过static canary并不一定够
在mitbbs上贴的视频都是flash base的吧
如果flash code有bug可以让malicious user插入任意的http header呢(这个貌似是
known bug....)
那很容易就伪造出来一个可以欺骗mitbbs的referrer.....
本质上 你还是需要一个evil.com不能拿到的东西 |
k**g 发帖数: 67 | 9 hmm, this attack's html header was really sent from the good user's browser.
can the webserver modify the good user's html header?
【在 y*******d 的大作中提到】 : 上面有人提到了referrer的解决方案 : 本质上referrer在这里就是作为static canary的 : 不过static canary并不一定够 : 在mitbbs上贴的视频都是flash base的吧 : 如果flash code有bug可以让malicious user插入任意的http header呢(这个貌似是 : known bug....) : 那很容易就伪造出来一个可以欺骗mitbbs的referrer..... : 本质上 你还是需要一个evil.com不能拿到的东西
|
g*****g 发帖数: 34805 | 10 If GET can change data, there's no technical way to prevent this kind of
attack unless all external images links are blocked.
browser.
【在 k**g 的大作中提到】 : hmm, this attack's html header was really sent from the good user's browser. : can the webserver modify the good user's html header?
|
|
|
k**g 发帖数: 67 | 11 that is why i said checking the referrer before the actual script does
anything ah
【在 g*****g 的大作中提到】 : If GET can change data, there's no technical way to prevent this kind of : attack unless all external images links are blocked. : : browser.
|
g*****g 发帖数: 34805 | 12 It's not a script, it's a valid link, and browser cannot detect if a link
is an image or not before it actually requests. There's no javascript here.
【在 k**g 的大作中提到】 : that is why i said checking the referrer before the actual script does : anything ah
|
k**g 发帖数: 67 | 13 the backend is still script...isn't it? server end though. that is where the
redirect 301 came
from
【在 g*****g 的大作中提到】 : It's not a script, it's a valid link, and browser cannot detect if a link : is an image or not before it actually requests. There's no javascript here.
|
y*******d 发帖数: 1765 | 14 ok.
so now some simple sample, hope it helps.
To make the thing simple, let's say it's not an img, not a flash.
I trying to make a link and when user click this link, a post gonna be
posted via the user's context not my context (who create this link). That's
why it's called csrf, my link will "forge" a request on the actually clicked
user.
what does the link has to do?
1. Make a post to /mitbbs_xxx.php
2. Set the post content to whatever I want
What happened when user click da link?
1. Good user |
y*******d 发帖数: 1765 | 15 In theory, yes, if a get request can change states, you are doomed.
But somehow, you can also do some kinda of defense to make attacker suffer.
【在 g*****g 的大作中提到】 : If GET can change data, there's no technical way to prevent this kind of : attack unless all external images links are blocked. : : browser.
|
y*******d 发帖数: 1765 | 16 First, you kinda messed up with client script and server script.
If mitbbs server would run the script not coming from its own code, then
they are fucked up.
Second, in this case, server never get the script, what server get is a
simple post. Based on the existing design of mitbbs, server has no way to
figure out it's coming from a place which expected to generate this post
like the "发表" button or it's coming from a evil.com generated link or some
other things running in current user context (BH
【在 k**g 的大作中提到】 : the backend is still script...isn't it? server end though. that is where the : redirect 301 came : from
|
g*****g 发帖数: 34805 | 17 The difference here is that you still need to click an external link so that
a javascript generated post can proceed, and many browsers can detect
onload javascript from an untrusted site and warn you beforehand.
And Image source link, combined with GET state change, however, can screw
you once you see the post.
s
clicked
【在 y*******d 的大作中提到】 : ok. : so now some simple sample, hope it helps. : To make the thing simple, let's say it's not an img, not a flash. : I trying to make a link and when user click this link, a post gonna be : posted via the user's context not my context (who create this link). That's : why it's called csrf, my link will "forge" a request on the actually clicked : user. : what does the link has to do? : 1. Make a post to /mitbbs_xxx.php : 2. Set the post content to whatever I want
|
y*******d 发帖数: 1765 | 18 From security point of view, those two things are no big different.
And they fall into the same category of attack and they can be defended in
the same way.
Let's say it clearly, the only difference between forge a link and a
or flash, is just about how hard the malicious user gonna lure good users to
do the attack.
If you familiar with DREAD, the only difference is Reproducibility. |
g*****g 发帖数: 34805 | 19 It's a big difference between see a link and click a link, and as i
mentioned,
most browser will warn you when script generated post from a new site
is detected.
to
【在 y*******d 的大作中提到】 : From security point of view, those two things are no big different. : And they fall into the same category of attack and they can be defended in : the same way. : Let's say it clearly, the only difference between forge a link and a : or flash, is just about how hard the malicious user gonna lure good users to : do the attack. : If you familiar with DREAD, the only difference is Reproducibility.
|
y*******d 发帖数: 1765 | 20 how does the link created is not the key.
It can be a link created by the script running on the page, but it could
also be a link which is totally generated on server side.
Browser could just get a without any script associated. |
|
|
y*******d 发帖数: 1765 | 21 let's make the example more extreme.
The link on mitbbs.com is a link to http://evil.com/a.html
But in order to lure user, I may say, free sex link blah blah....
In evil.com/a.html, I hosted an hidden form which is the same as the one
here. Also in evil.com/a.html, onload() will auto submit that hidden form.
If I remember correctly, post to another domain is allowed in all of the
popular browser (maybe I am wrong here....). So no poped up.
In this case, click is still required but it's a prove o |
g*****g 发帖数: 34805 | 22 It's a lot of assumption user will click a link.
It's a lot more assumption a user has a valid session
in an important website when you click a link like that.
And many browsers, at least IE will warn you first time
javascript is executing on an untrusted website.
Compare to a src link GET data change, it's night and day.
Of course you can always use a random-generated token to
stop all forgery link attack. A financial site should do that.
But it may be an overkill for a social site. Stop all GE
【在 y*******d 的大作中提到】 : let's make the example more extreme. : The link on mitbbs.com is a link to http://evil.com/a.html : But in order to lure user, I may say, free sex link blah blah.... : In evil.com/a.html, I hosted an hidden form which is the same as the one : here. Also in evil.com/a.html, onload() will auto submit that hidden form. : If I remember correctly, post to another domain is allowed in all of the : popular browser (maybe I am wrong here....). So no poped up. : In this case, click is still required but it's a prove o
|
y*******d 发帖数: 1765 | 23 lol
That's no reason to argue it more.
Someone understand the mech already did more and more attacks on the site
all via POST channel.
So your GET theory is dead.
Let's see what gonna mitbbs.com do.
I'll send some poc to 3k or some other admins, but yeah, talking those shit
here is kinda opening da pandora box. |
m*****e 发帖数: 4193 | 24
How do you know it's POST? Post the code and I'll believe you.
shit
Nothing to do with pandora box. Shit is shit. It just brings more confusion.
If you think you are right, post the script to prove it. It shouldn't be
hard.
【在 y*******d 的大作中提到】 : lol : That's no reason to argue it more. : Someone understand the mech already did more and more attacks on the site : all via POST channel. : So your GET theory is dead. : Let's see what gonna mitbbs.com do. : I'll send some poc to 3k or some other admins, but yeah, talking those shit : here is kinda opening da pandora box.
|
y*******d 发帖数: 1765 | 25 Dont tell me you can not write the script if you follow my examples.
If that's the case, even I gave you the code, you can not understand
it. But no doubt, you can run it. Publishing code which could do mass dmg is not good.
How do a know it's a attack via post?
Run fiddler when you do any operations on mitbbs, then analyze, no it's not
analyze, I'd say take a look at the traffic between browser and mitbbs.com.
You'll find the hole. |
m*****e 发帖数: 4193 | 26
Yes I can, but I am not the one who wants to brag about it here. So why
should I waste my time to prove your point?
is not good.
You don't have to provide the source code.
not
Yes but you need the script. Last time I checked, it was already offline. So
please stop stating the obvious.
【在 y*******d 的大作中提到】 : Dont tell me you can not write the script if you follow my examples. : If that's the case, even I gave you the code, you can not understand : it. But no doubt, you can run it. Publishing code which could do mass dmg is not good. : How do a know it's a attack via post? : Run fiddler when you do any operations on mitbbs, then analyze, no it's not : analyze, I'd say take a look at the traffic between browser and mitbbs.com. : You'll find the hole.
|
y*******d 发帖数: 1765 | 27 security hole is still there, unless mitbbs.com fix the issue, but from what
I checked 1 hour ago, the whole is still there and I've dropped a mail to
3k about the shit.
All I do is trying to let mitbbs.com understand there is a hole here.
I dont care if anyone else believe it or not and I dont get a fucking penny
from mitbbs.com. |
t*n 发帖数: 14458 | 28 帮俺创收点伪币罢
security hole is still there, unless mitbbs.com fix the issue, but from what
I checked 1 hour ago, the whole is still there and I've dropped a mail to
3k about the shit.
All I do is trying to let mitbbs.com understand there is a hole here.
I dont care if anyone else believe it or not and I dont get a fucking penny
from mitbbs.com.
【在 y*******d 的大作中提到】 : security hole is still there, unless mitbbs.com fix the issue, but from what : I checked 1 hour ago, the whole is still there and I've dropped a mail to : 3k about the shit. : All I do is trying to let mitbbs.com understand there is a hole here. : I dont care if anyone else believe it or not and I dont get a fucking penny : from mitbbs.com.
|
g*****g 发帖数: 34805 | 29 There's evidence that was a GET attack, I don't think it's
even worth a debate. The POST CSRF problem is still there,
for sure, but good luck on luring People to click a link like that.
shit
【在 y*******d 的大作中提到】 : lol : That's no reason to argue it more. : Someone understand the mech already did more and more attacks on the site : all via POST channel. : So your GET theory is dead. : Let's see what gonna mitbbs.com do. : I'll send some poc to 3k or some other admins, but yeah, talking those shit : here is kinda opening da pandora box.
|
m***l 发帖数: 1846 | 30 The CSRF issue you described is valid, but it was not the problem that
happened yesterday. The symptom yesterday was:
1) A logged-in user opens a mitbbs page, the page has an embedded image in
its body
2) Immediately (without any further) actions, user is forwarding this page
to some other board.
Do you see a chance that any HTTP POST is being made to server, either by
script or user action?
It seems for me that by calling it "GET theory", you don't really get what
issue it is
【在 y*******d 的大作中提到】 : lol : That's no reason to argue it more. : Someone understand the mech already did more and more attacks on the site : all via POST channel. : So your GET theory is dead. : Let's see what gonna mitbbs.com do. : I'll send some poc to 3k or some other admins, but yeah, talking those shit : here is kinda opening da pandora box.
|
|
|
y*******d 发帖数: 1765 | 31 To answer your question:
Do you see a chance that any HTTP POST is being made to server, either by
script or user action?
The answer is YES.
Dig more in internet to find out the truth, that's why a lot of website is
really concern about img rendering in their pages. Note: it's caused by a
bug, not a design issue.
Yes. GET can change the states is bad, but it's not unresolvable.
The solution is similar as the POST.
That's why I keep saying dont be attracted by the GET, you need all-in-one
solutio |