NYCPHP Meetup

[Chris Shiflett]

csnyder wrote:
> Even the random token method that Chris describes can be foiled if
> the attacker is scripting XMLHTTPRequests, because the script can
> request and then POST a valid form, without the user ever knowing it.

Yep, and this is exactly what happened.

This is primarily a CSRF attack, and it uses a XSS vulnerability as a 
platform. Apparently Myspace had CSRF protection, but because the XSS 
vulnerability allowed the attacker to inject some XMLHttpRequest stuff 
into people's profiles, that could be used to first request the form 
(victim's token included) and then send the CSRF attack along with the 
valid token. The clever part is that the CSRF payload exploited the XSS 
vulnerability again, proliferating itself through other people's profiles.

CSRF and XSS have been a deadly combination for years, and I'm hoping 
this recent incident helps raise awareness further.

The technical details are interesting, but the personal account is worth 
reading just for the laughs:

http://namb.la/popular/

"Oh wait, it's exponential, isn't it. Shit."

Chris

-- 
Chris Shiflett
Brain Bulb, The PHP Consultancy
http://brainbulb.com/