Reputation: 14506
How to implement an XSRF attack via auto-submitting form in iframe?
I'm working on a Single-Page App and choosing, what scheme to use for user sessions, cookie or localstorage. In particular, I'm considering CSRF attack scenario. The most reasonable CSRF attack scheme IMHO is auto-submitting a form in an invisible iframe. But how does it work?
Suppose that I'm the developer of maliciouswebsite.net and on my page I'm creating an invisible iframe pointing to some page at bank.com website with the intention to make user, visiting maliciouswebsite.net and logged in on bank.com, to unwillingly send his money to me by auto-submitting the form in an invisible iframe.
But in such case the code in iframe won't be scriptable from maliciouswebsite.net, because it will be considered Cross-Origin and browser won't allow javascript in the main frame of maliciouswebsite.net to manipulate with elements of bank.com invisible frame.
A different scenario is that maliciouswebsite.net just presents an invisible iframe with form action=bank.com/api/transfer_money?.... So the Origin of this iframe is still maliciouswebsite.net. But in such case the form won't see the user's cookie at bank.com and won't be allowed to do anything, right?
Upvotes: 0
Views: 558
Answers (1)
Reputation: 33578
A different scenario is that maliciouswebsite.net just presents an invisible iframe with form action=bank.com/api/transfer_money?.... So the Origin of this iframe is still maliciouswebsite.net. But in such case the form won't see the user's cookie at bank.com and won't be allowed to do anything, right?
Yes, this is how it were to work should an IFrame be used.
Basically it starts off with a page with a form on that auto submits to another domain, like you say. See this answer for an example.
Then so as to not alert the user that the form is being submitted, the attacker embeds the page with that form in a hidden IFrame.
The browser will automatically send cookies, as long as the user is already logged into bank.com. Remember, the form does not need to see cookies (maliciouswebsite.net), only the target domain does (bank.com).
Upvotes: 1
Related Questions
- How to identify if a webpage is being loaded inside an iframe or directly into the browser window?
- How to apply CSS to iframe?
- Why do we need both the csrftoken cookie and the HTML form's hidden input's csrfmiddlewaretoken value?
- How do I send a cross-domain POST request via JavaScript?
- Why is it common to put CSRF prevention tokens in cookies?
- CSRF protection with CORS Origin header vs. CSRF token
- How can I access the contents of an iframe with JavaScript/jQuery?
- Is there a cross-domain iframe height auto-resizer that works?
- Cannot access both page form and iframe form using jQuery