Tuesday, December 05, 2006

Use of time delay technique for effective CSRFs

I read Jeremiah Grossman's article on Browser Port Scanning without JavaScript.
One point to note is that this is based on the time difference that is observed when

  1. A host is up
  2. A host is down

One of the techniques of port scanning using javascript also relies on this time difference.

Now look at comment that says "The purpose of CSRF is to perform actions on behalf of the current user but this user must be authenticated first. Otherwise, there is no point in doing whatsoever." here.

Is it possible for an attacker to determine if the victim has logged in? YES it is definitely possible. Again we rely on the time difference technique. Just observe what sites throw at you when you request a private page without having authenticated. All of them will either display an error message or a login form.

Now if you see the time taken when you are logged in vs when you are not logged in, you will see a considerable difference (It depends on what private page you request).

Using this phenomenon, attacker can always determine if the victim has logged in.

Following code shows how this can be done,
<body>
<script>
function loaded()
{
var time = new Date();
var t2 = time.getTime();
alert(t2- t1);
}
var time = new Date();
var t1 = time.getTime();
</script>
<iframe src="http://www.orkut.com/News.aspx" onload="loaded()">
</iframe>
</body>

On news.aspx page without logging in, I got following readings

7391, 6938, 6453

After logging in,

4453, 5844, 4375, 4359, 4375

It should be noted that these readings may depend on,

  1. Network speed
  2. Number of cacheable objects on the page (And therefore might vary significantly on every subsequent run)

Therefore it is necessary to select a private page that preferably has least number of cacheable objects. Also, the time taken for private-page load and login-page load should not be comparable.

As I see it, many such things are possible if we study the behavior of web applicaions.

No comments: