Weaponizing Web 2.0

In this link Brian Krebs blog, he describes how researchers Nathan Hamiel and Shawn Moyer presented a method to (link to paper – Moyer-Hamiel-DC17-Dynamic-CSRF) automate cross-site request forgery (CSRF) attacks.

Taken from the article “To take the Alice and Bob on the forum example a step further, consider what happens when Alice views a forum posting by Bob that includes a link to an off-site image hosted at a site controlled by Bob. That image, when loaded by Alice’s browser, will automatically send Bob’s site a referrer URL that includes the full token that is unique to Alice’s browser session with that forum. Armed with the referring URL’s token, Bob can then respond to the image request from Alice’s browser with a request to silently take action on that forum in Alice’s name.”

This interesting attack has been around since 2001. The two researchers brought the CSRF concept a bit farther by systematically packaging payloads based on the referring site.. so essentially, they can have attacks ready for particular websites. “We’ve come up with a way to take those tokens and repackage them on a payload-per-domain basis, with different types of payloads based on the referring site,” Hamiel said. “So, if it’s linked off of Twitter, the tool might respond one way, or if it’s linked off of something like LinkedIn, it might respond another way.”

This also gives attackers the ability to scale up attacks in a modular fashion so updates can be made to payloads on fly when referring websites make changes.

Just something to keep your eye on..