Reputation: 3046
is CSRF / clickjacking possible after cookies are cleared?
As far as I understand it, CSRF and Clickjacking use the fact that the browser automatically include cookies in the requests to a webpage (those that came from that domain, that is).
So basicaly, an attacker will prepare a malicious site and make a call to some URL (e. g. Gmail) in the hopes that the cookies for this URL are still saved in my browser. Or can they somehow find out, which webpages I am currently logged into in another tab and then tailor their attack to that?
And my more pressing question: after I cleared the browser cache or logged out correctly, these two attacks are impossible, aren't they?
Upvotes: 0
Views: 118
Answers (1)
Reputation: 15599
An attacker owning a website and having you visit it (the standard CSRF scenario) typically has no way in recent browsers to find out what other websites you have open on different browser tabs (though several tricks have popped up from time to time, like for example trying to embed an authenticated resource from a guessed website and check if it results in an error, indicating you are not logged in - a classic). But they can also just guess and perform a blind attack - maybe they won't know if it succeeded in a specific case, but sometimes it's enough if there are occasional successes, doesn't matter which ones. CSRF is CSRF, regardless of whether an attacker can find out if it worked. These can still be useful in more complex attacks as a building block too.
As for your other question - sure, if there is no authentication info sent by your browser, CSRF is not possible. Note that this doesn't strictly mean cookies, HTTP basic auth is also saved for the session, and client certificates are sent automatically too. Maybe marginal, but sometimes quite important. :) Also note that simply logging out on the UI does not necessarily invalidate CSRF - the server also needs to log you out correctly, which is not always the case. For a straightforward example, consider SAML SSO where you have a long-term session with the identity provider, and a short-lived session with an application. You click logout, your application session is terminated, but there may be no single logout. When CSRF is then attempted with something like a full http post, you might be redirected to the IdP, then to the application, which might log you in automatically, and the action performed - without any user interaction, facilitating CSRF. Again maybe an edge case, but this whole thing is about edge cases in a sense.
Upvotes: 1
Related Questions
- Are there CSRF attacks that don't use cookies?
- can we hijack CSRF token by ajax request
- CSRF exploit and cookie
- CSRF: Can I use a cookie?
- Is this a secure way to prevent Cross-site Request Forgery (CSRF) attacks?
- Does CSRF defense also defend against clickjacking?
- Anti-CSRF cookie?
- Is CSRF possible without Cookies?
- CSRF vulnerability / cookies question
- Handling CSRF protection when cookies are disabled