« Redhat/Fedora Servers compromised, package signing key stolen, rogue packages possibly signed | Main | Understanding the security changes in Flash Player 10 beta »

Cross-site hacks and the art of self defence

Generally, browsers stop cross-site communication by following the "same-origin policy". This rule is pretty simple: if your site has a different origin - protocol, domain, and port don't all match - you aren't allowed to access information from or send requests to the other site. Without this simple rule, there would be no security on the internet. Every website could access data from every other one - you'd need a separate web browser for every website.

Unfortunately, the same-origin policy is nowhere near airtight. Attackers don't even need an exploit to bypass it. They can simply embed an IMG, SCRIPT, IFRAME, or FORM tag that references the targeted website in an HTML page. When the victim's browser renders this tag, it generates a request and sends it to the targeted website - right around the same-origin policy. This is a feature of all browsers - it's used by many applications to grab images from other sites and to post from data to services.

Attackers can use this loophole to forge requests that appear to be coming from a legitimate user. These are called cross-site request forgeries, or CSRF, for short.

Article: http://www.theregister.co.uk/2008/08/29/hijacked_browser/


Feed You can follow this conversation by subscribing to the comment feed for this post.

All Comments are Moderated and will be delayed!