Wednesday, February 9, 2011

Cross Origin Header Forging for CSRF Attacks

Django and ruby on rails just released security updates (here and here) to address an attack that would allow CSRF through forged headers.  Previously these two frameworks provided a CSRF defense for XHR requests that was based on the presence of the X-Requested-With header. The idea was simple, the header was automatically added during normal use of the XHR request by the user and an attacker was unable to spoof or forge a header in the context of a cross domain setting (e.g. CSRF attack).  We discussed this a few months back and the consensus was that this approach was safe.

Apparently that has all changed.  The details are currently very limited (or I just haven't found them).  This is what is provided at the django and ruby on rails security update pages:
Recently, engineers at Google made members of the Ruby on Rails development team aware of a combination of browser plugins and redirects which can allow an attacker to provide custom HTTP headers on a request to any website. This can allow a forged request to appear to be an AJAX request, thereby defeating CSRF protection which trusts the same-origin nature of AJAX requests.
Michael Koziarski of the Rails team brought this to our attention, and we were able to produce a proof-of-concept demonstrating the same vulnerability in Django's CSRF handling.
I'm very curious to find out more. Is a proof of concept available? What browser plugins are required for this attack? The potential exposure must be large because both frameworks have released a "backwards-incompatible" patch.
This is technically backwards-incompatible, but the security risks have been judged to outweigh the compatibility concerns in this case.

-Michael Coates - @_mwc