Reputation: 78
Would you count following scenario as (dangerous) CSRF?
Imagine you have a big cooperation. Now someone found CSRF vulnerability which only works through the own site (since the site is protected by checking the Referer-Header, no CSRF token). This can perform critical actions, but only if the request comes from your site. That means a small XSS attack could perform bigger actions through this vulnerability. Would you count this as a critical vulnerability and should this be rewarded as a CSRF attack?
Upvotes: 1
Views: 97
Answers (1)
Reputation: 33578
This is known as On Site Request Forgery.
An XSS vulnerability always trumps any CSRF/OSRF attack. Just think, if the forms were not protected by referer but were protected by a token, the XSS attack could simply read the token out of the DOM and then submit the form.
Therefore there is no extra risk to the site. The only exception to this is where you have an Open Redirect Vulnerability in combination with an unsafe action implemented as a GET.
Say the following URL is available:
https://example.com/delete_my_account
The handler validates referer to ensure that the request comes from https://example.com/*.
However, there is also another URL available that issues JavaScript redirects:
https://example.com/redirect_to_site
This would be called as follows within the site to track external links:
https://example.com/redirect_to_site?https://google.com
However a OSRF attack would be possible by constructing a CSRF attack redirecting to something like the following:
https://example.com/redirect_to_site?https://example.com/delete_my_account
Because referer is checked, this will validate the request because only delete_my_account is checking the referer here as this is deemed the unsafe action. However, because it can be redirected over the unprotected handler, it can defeat the referer protection.
Therefore, unless there is such functionality on the site or unless the site allows user content to construct such links, there is no vulnerability in checking referer for CSRF protection.
Note: Before anyone mentions that the referer header can be spoofed, this would only be possible from the attacker's own connection. In a CSRF attack you need this to be spoofed on the victim's connection - CSRF is an attack against another user - therefore although refererer is a weak protection, it is still adequate in many cases.
Upvotes: 1
Related Questions
- Where to store JWT in browser? How to protect against CSRF?
- Why is it common to put CSRF prevention tokens in cookies?
- Stateless REST API with CSRF and XSS protection
- Is there any benefit for storing JWT in both a cookie and local storage?
- CSRF token and XSS vulnerability
- Is CSRF possible in Aurelia if XSS attacks are mitigated?
- Is the Rails default CSRF protection insecure?