About the CSRF Redirector
Jul 06, 2010
You might have seen this post in Chris blog about a CSRF redirector he did. This is basically nothing more than a little script that turns a GET request into a hidden formular that is then posted via JavaScript. There have always been security issues with redirector scripts, and if you provide one open to anyone, you should care about what kind of redirects you actually allow.
Two major risks happen to exists with chris example:
- Malicious people could misuse them as bouncers to attack other sites
- Not every URL is a web page. Some can load plugins, display information and
some can execute JavaScript.
Here is an example URL:
http://shiflett.org/csrf.php?csrf=javascript:alert(/I_AM_A_SECURITY_EXPERT/)
In Internet Explorer (and Safari) this will give you access to the domain (cookies, etc…). In Firefox you can still do other funny things.
So if you implement (javascript) redirector scripts, make sure you do a proper
whitelisting of the user delivered urls.
UPDATE: The above example for a simple XSS does no longer work. However there are still other XSS vulnerabilities like variable-width problems in the CSRF redirector and it is still an open bouncer for malicious persons.
