XSS and CSRF made easy


Today I had a phone conference with a client about a security audit we conducted on their application. We stepped through the report where we talked about XSS and especially CSRF, and we told them that it might be pretty easy to trick somebody into clicking on a link which conducts a request to your application (in case of CSRF) or calls a prepared link which utilizes your vulnerable application to inject bad JavaScript code (as in XSS).


Today and tomorrow, there’s a popular conference here in Germany that deals with Web2.0, called next07 from the German multimedia agency SinnerSchrader. As cool as in the term Web2.0, their partner cellity set up a twitter account which will be regularly displayed via a beamer live at the conference. Attendees and non-attendees can then twitter their messages to this account when adding themselves as a group/friend.


I stumbled upon a blog entry (I’m not at the conference) that tells us to watch the live twitter feed. While having a look at it, I had the telephone conference from today in mind. If you look at the screenshot, you see somebody posting a tinyURL link. While tinyURL is a very good service, it could be used to hide XSS prepared links so that you can’t see at a first glance that it might be a malicious link. Luckily, the link from the screenshot points to a PR website.


So, how does it harm users? The goal for an XSS attacker is to trick you into clicking on a link he sends you. This could either be via (HTML) e-mail, or via popular services like twitter. If I would be an attacker and I would know that a lot of people are very active members of (insert your favourite social network here).com, permanently logged in, and are also very active members of such a popular messaging service like twitter, the users could be harmed very easy by posting a message to a service like twitter with a prepared URL. The nature of the „Web2.0 crowd“ is that they are constantly and very actively consuming URLs/information without thinking about where they are clicking. So this would be a very effective distribution channel of XSS links.


Of course, there may be other and more easier ways to foist a link to users (for example, the same goes for posting short links or prepared images in forums), but as twitter is currently a service that gets a lot of hype, it could be used for such Second Order Attacks very easy (somebody remembers the popular XSS worm on MySpace some years ago?).


Von Björn Schotte

Björn Schotte ist geschäftsführender Gesellschafter der Mayflower GmbH und Senior Consultant im Umfeld von Software- und Agilen Organisations-Themen. Er twittert unter @BjoernSchotte und ist auf Xing sowie LinkedIn erreichbar. Seine Vorträge finden sich bei Slideshare.

2 Kommentare

  1. twitter by default seems to turn all links into links via the tinyurl service.

    hopefully they do some xss checks before they ever send off the link to tinyurl in the first place.

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert