Saturday, January 9, 2010

"Logout XSRF" - significant web app bug?

[Or "Logout CSRF" for search indexes; I seem to be addicted to the less common acronym ;-)]

Significant? No, of course not. It is a technical integrity violation inflicted upon good.com by evil.com. That's not ideal, and could be an annoyance. But there are some other interesting technicalities that can make it futile to defend against. They include:
  • Cookie forcing. A man-in-the-middle attacker can nuke the auth cookie, even though your session is https.

  • Cookie bombardment. There is no standard on how a browser should behave when a range of collaborating sites (e.g. *.evil.com) pile a load of cookies on to a browser. kuza55 documents the plausibility of this attack in Firefox and Opera and the Browser Security Handbook also alludes to this in Part2 under the heading "Problems with cookie jar size". Essentially *.evil.com could "LRU-out" the auth cookie of another site. I've not seen a definitive answer to whether IE8 has a global cookie max limit or not. Intriguingly, having one can be a problem as can not having one!

No comments: