0

Let us take the example of my already being logged in to, say, LinkedIn. When I access LinkedIn on a new tab, it automatically logs me in (using cookie info). Now, suppose I visit a forum and through an image that is loaded, a CSRF attack is run against my credentials. To prevent using my cookie-stored credentials for an attack, LinkedIn would use token and/or nonce, would check that the token is expired (or nonce is already used) and prevent the attack from happening.

What confuses me is, as far as LinkedIn goes, both my logging in through a new tab and the CSRF attack are initiated from my (trusted) browser. But, LinkedIn automatically logs me in regardless. How would LinkedIn then differentiate opening a new tab from a CSRF attack? Or should LinkedIn have enforced a stricter time out and have me login if I try to log in from a new tab?

SilverlightFox
  • 33,408
  • 6
  • 67
  • 178
katrix
  • 533
  • 2
  • 13
  • What you describe isnt a typical CSRF attack, once you control the user browser, there is no protection from session hijacking... – Jingo Mar 05 '14 at 19:52
  • I thought CSRF always took control of your browser - in the sense malicious code (like javascript) is run on behalf of the user from the browser, without the user knowing or having control. Am I wrong? – katrix Mar 05 '14 at 21:52

1 Answers1

0

When you open a new tab and access linkedin the copkie which contains the session is automatically transmitted to linkedin. Linkedin checks the session and if it is valid you are logged in.

A CSRF is usually only required for modifying requests, e.g. if you update some of your account settings or something like that. When the page with the form is transmitted to your browser linkedin adds a hidden field with the CSRF token into the form. If you submit the form the session cookie and the CSRF token are send to linkedin. Linkedin checks the session and if it is valid it checks the CSRF token. If the token is missing the request should be ommitted.

DanielE
  • 701
  • 4
  • 10
  • Thanks for the info!! This is true if the valid user had recently made a profile update and the attacker is trying to reuse the tokens. If the attacker has a new update request sent to linkedin, linkedin responds with the form and the token, and the attacker now sends the update request with the token. Linkedin thinks this is a valid request and updates. Is the attack not successful then? – katrix Mar 05 '14 at 21:49
  • No, have a read of [OWASP](https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)). The attacker cannot ever get the token, all they control is the "evil" website and that cannot read anything outside of their own domain due to the [Same Origin Policy](http://en.wikipedia.org/wiki/Same-origin_policy). – SilverlightFox Mar 06 '14 at 08:59
  • Had a look at the Same Origin Policy; that explains a lot. Thanks so much! – katrix Mar 06 '14 at 11:34