Network News

X My Profile
View More Activity

Weaponizing Web 2.0

Imagine simply visiting a Web forum and finding that doing so forced your browser to post an embarrassing Twitter message to all of your contacts, or caused you to admit a stranger to your online social network. Now consider the same dynamic being used to move money out of your online auction account or delete the contents of your e-mail inbox.


These are just a taste of the Web 2.0 cross-site trust issues explored in a talk delivered at the Black Hat security conference in Las Vegas today. The presenters, researchers Nathan Hamiel and Shawn Moyer, delivered a related talk at Black Hat last year called "Satan is on my Friends List," that was highly entertaining and relevant to similar trust concerns that plague dozens of social networking sites. And since I am unfortunately not going to be at Black Hat this year, I wanted to catch up with them again to see what they've cooked up this year.

In this year's talk, entitled Weaponizing the Web, Hamiel and Moyer demo a new tool that makes it simple for bad guys to force a user's Web's browser into taking actions on behalf of that user without their permission or knowledge.

While the tool could be used to attack others online, it could also help site owners better visualize how to protect their sites from this kind of attack, the researchers said.

The tool takes advantage of a new twist on an old form of attack known as cross-site request forgery (CSRF), called "dynamic CSRF." In the classical CSRF attack, the perpetrator tricks the victim into loading a specially crafted page designed to perform an action on a specific site where the victim is already authenticated.

For example: A relatively benign CSRF attack takes place on a Web forum, wherein Alice browses a posting left by Bob. Unbeknownst to Alice, Bob has included in his message a booby-trapped image that takes advantage of the fact that she is logged in to that forum in an active session. Inside that image is a link tag that includes the URL needed to post messages on that forum. Once that image loads on Alice's machine, the embedded link posts a message in her name to the forum, via her browser, without her permission.

More serious CSRF attacks can be used against victims who are logged into an online banking account, forcing the target to initiate an unauthorized withdrawal or transfer from that account. Indeed, as phishing expert Lance James wrote in his book "Phishing Exposed," the beauty of cross-site request forging is that all requests an attacker wants to make will appear to come from the victim while the victim is at the "trusted" site.

The typical defense against CSRF attacks is for a Web site to include a unique, alphanumeric token in each link that is requested or generated after the user has logged in. This token is then stored on the Web server where the visitor is interacting. If subsequent requests from the visitor's Web browser do not also include that same token in the URL, the Web server will assume that someone or something else has intercepted or manipulated that request, invalidating that browsing session.

The problem with the token-based security approach, as researchers prior to Hamiel and Moyer have noted, is that it works only if the attacker doesn't have access to that random string of data as well.

To take the Alice and Bob on the forum example a step further, consider what happens when Alice views a forum posting by Bob that includes a link to an off-site image hosted at a site controlled by Bob. That image, when loaded by Alice's browser, will automatically send Bob's site a referrer URL that includes the full token that is unique to Alice's browser session with that forum. Armed with the referring URL's token, Bob can then respond to the image request from Alice's browser with a request to silently take action on that forum in Alice's name.

The two researchers say they plan to release a Web-based tool at Black Hat called "monkeyfist," which automates this process to some degree for a number of high-traffic sites, including Wikipedia and Livejournal.

"We've come up with a way to take those tokens and repackage them on a payload-per-domain basis, with different types of payloads based on the referring site," Hamiel said. "So, if it's linked off of Twitter, the tool might respond one way, or if it's linked off of something like LinkedIn, it might respond another way."

Moyer said one way to prevent this attack is commonly used on banking Web sites involves what's known as a nonce, which is essentially a random, one-time-use-only number that is appended to a URL each time a visitor loads a page on that site. He noted that one reason most sites don't adopt this approach is that it requires far more computational and Web server capacity, which can drive up costs -- particularly for high-traffic sites.

A copy of Moyer and Hamiel's white paper on this talk is

By Brian Krebs  |  July 29, 2009; 3:15 PM ET
Categories:  From the Bunker  | Tags: black hat 2009  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Report: First Lady Safehouse Route, Govt. Mafia Trial Info, Leaked on P2P Networks
Next: Clampi Trojan: The Rise of Matryoshka Malware


Re: "The two researchers say they plan to release a Web-based tool at Black Hat called "monkeyfist," which automates this process to some degree for a number of high-traffic sites"

Why would these so-called "researchers" do such a disgusting act? It's bad enough that they post their revelations openly for the criminals to read and use. These two researchers should be ashamed of themselves for aiding online criminals.

Nathan Hamiel and Shawn Moyer are more interested in scoring publicity points and bragging rights than they are in security and all of the sysadmin anguish their actions will cause.

Posted by: taskforceken | July 29, 2009 3:52 PM | Report abuse

Does the FireFox extension, NoScript, prevent this attack?

Posted by: blowbush | July 29, 2009 4:44 PM | Report abuse

Yeah, these experienced security researchers are irresponsible. Don't they know that the very best way to get *everyone* on the Internet to fix a security vulnerability is to keep it vewy quiet?

They should have just privately raised this issue with the Supreme Administrator of the Internet.

Posted by: DupontJay | July 29, 2009 7:22 PM | Report abuse

As if.
The Supreme Administrator is almost impossible to reach except by carrier pigeon, and even then, SA's responses are confusing and contradictory.
No. These security experts should clearly have printed all of this "security" "information" via dot matrix and burned it in a ceremonial urn. Preferably while defenestrating adolescent crackers and absolutely on the autumnal equinox.
The greater good has been scientifically proven to be an artificial construct. Sometimes it just a matter of adding random access moron and defragging you hat rack.

Posted by: lostinthemiddle | July 29, 2009 8:57 PM | Report abuse

...youR hat rack.

Posted by: lostinthemiddle | July 29, 2009 8:59 PM | Report abuse

Perhaps this raises the future viability of commercial internet usage PERIOD.

It is starting to make the internet look like many of the roads our troops used in Iraq and Afghanistan, where roadside IEDs took numerous lives and injured countless others.

Brian --------

How many years of USEFUL internet connections remain for especially commercial use and what then is the alternative besides perhaps dedicated lines between users?

Posted by: | July 29, 2009 10:05 PM | Report abuse

"A Standard for the Transmission of IP Datagrams on Avian Carriers"

Certainly another path by which clients and servers may communicate.

And by the way, *not* spreading the word about security holes is how microsoft handles security. Remember that saying the gun nuts use: if guns are made criminal, then only criminals will have guns.

Posted by: khote14 | July 29, 2009 10:36 PM | Report abuse

Wow, thats the cooles thign I ever heard of!


Posted by: clermontpc | July 30, 2009 12:35 AM | Report abuse

Pigeon racing was a sport in the 1900 Paris Olympic Games. No results have ever been found, or if the pigeons carried IP datagrams.

Posted by: jimward21 | July 30, 2009 8:18 AM | Report abuse

taskforceken - why would you assume the bad guys don't already know? security researchers are no more or less capable. if you mean to say responsible reporting - who would you report to? i.e., who is the vendor that would fix it?

Posted by: rogernebel | July 30, 2009 11:04 AM | Report abuse

AS for the pigeon UDP datagrams, well, we network admins are all very cognizant of the fact that you can't admit UDP inside the firewall because they don't have time-to-live and they'll accept any route including a null route. This means that packets pile up on the floor. If you're not careful, they can get stuck between your toes and cause irritation.

Considering that the vector in this case was pigeons, I expect that you can find the null-routed UDP pigeon packets somewhere in the layer of crust on any given outdoors statue of former political or military figures.

I wonder if WaPo has been monkeyfisted yet? ;)

Posted by: thardman | July 30, 2009 12:53 PM | Report abuse

A simple solution for firefox would be to create a plugin that blocks browsers from uploading images and other files from URLS that aren't part of the primary domain.

This has the added benefit of blocking doubleclick and other advertising companies that track your webmovements. At least until they figure out a workaround.

Posted by: tgoglia | July 30, 2009 1:57 PM | Report abuse

"A simple solution for firefox would be to create a plugin that blocks browsers from uploading images and other files from URLS that aren't part of the primary domain."

That would block ads. Don't get me wrong, I like the idea, but the Monetizing Mensheviks have an issue.

Posted by: gannon_dick | July 30, 2009 5:29 PM | Report abuse

WaPo has clearly been monkeyfisted (or some knock-off) - the new mobile site is direct evidence of a hack!

Posted by: rogernebel | July 30, 2009 5:57 PM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company