Menu
The Django documentation on its CSRF protection states that:
In addition, for HTTPS requests, strict referer checking is done by CsrfViewMiddleware. This is necessary to address a Man-In-The-Middle attack that is possible under HTTPS when using a session independent nonce, due to the fact that HTTP 'Set-Cookie' headers are (unfortunately) accepted by clients that are talking to a site under HTTPS. (Referer checking is not done for HTTP requests because the presence of the Referer header is not reliable enough under HTTP.)
I have trouble visualizing how this attack works. Could somebody explain?
UPDATE:
The wording in the Django doc seems to imply that there is a specific type of man-in-the-middle attack (which leads to a successful CSRF I'd assume) that works with session independent nonce (but not with transaction specific nonce etc., I suppose) and involves the use of 'Set-Cookie' header.
So I wanted to know how that specific type of attack works.
482
A man-in-the-middle attack is a form of communications eavesdropping attack. Attackers position themselves in the communication stream between a client and server (or any two communicating entities). The client and server believe they're communicating directly with each other.
MITM attacks are quite widespread, although they tend to happen on a small scale. Some experts have estimated roughly 35% of attacks that exploit cyber vulnerabilities have been MITM attacks. Hackers can drop in on a cafe or airport Wi-Fi connection and make a quick score.
What is MITM attack. A man in the middle (MITM) attack is a general term for when a perpetrator positions himself in a conversation between a user and an application—either to eavesdrop or to impersonate one of the parties, making it appear as if a normal exchange of information is underway.
A Man-in-the-Middle (MITM) attack happens when a hacker inserts themselves between a user and a website. This kind of attack comes in several forms. For example, a fake banking website may be used to capture financial login information. The fake site is “in the middle” between the user and the actual bank website.
The attacker can set the CSRF cookie using Set-Cookie, and then supply a matching token in the POST form data. Since the site does not tie the session cookies to the CSRF cookies, it has no way of determining that the CSRF token + cookie are genuine (doing hashing etc. of one of them will not work, as the attacker can just get a valid pair from the site directly, and use that pair in the attack).
Directly from the django project
(I googled for session independent nonce.)
116
Here's a very detailed description of one-such MitM attack. Below is an abridged and simplified adaptation:
Modify an HTTP-served page (e.g., http://foo.com/browse) to have an auto-submitting form that submits to an HTTPS POST end-point (e.g., http://foo.com/check_out). Also set their CSRF cookie to match your token:
<script type="text/javascript">
function loadFrame(){
var form=document.getElementById('attackform');
// Make sure that the form opens in a hidden frame so user doesn't notice
form.setAttribute('target', 'hiddenframe');
form.submit();
}
</script>
<form name="attackform" id="attackform" style="display:none" method="POST"
action="http://foo.com/check_out">
<input type="text" name="expensive-thing" value="buy-it-now"/>
<input type="text" name="csrf" value="csrf-token-value"/>
</form>
<iframe name="hiddenframe" style="display:none" id="hiddenframe"></iframe>
<XXX onload="loadFrame();">
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
