CONJECTURE: An attacker could write a hybrid "html inspection, CSRF attack" mimicking an exact important form (like the funds transfer form for an exact bank) **even if the form in question uses form tokens**. Here are the components of this theoretical attack: 1) The attacker manually reads the HTML of the the form they are trying to mimic for the purpose of trying to discover the *form element name* of the hidden variable that contains the form token. 2) The attacker creates a 2-phase javascript program, similar to a HTTP Trace attack that does the following: a) The javascript makes a simple HTTP/S request to the form it is trying to mimic and inspects the returned HTML for the purpose of pulling out a valid form key since the form key NAME is known from (1). b) Use that form key value pair ripped from (a) as part of the actual CSRF attack. It would be a little complex to code, but would completely circumvent a form token defense if coding to attack an exact form of an exact bank. Defense against this theoretical attack is to make the form element name for the form token itself hard to guess. For example, do not use a hidden variable named "formtoken" : <some hard-2-guess #> use something like: <hardtoguesselementname> : <hardtoguessvalue> I'll try to come up with sample attack code and do additional research if anyone considers this theory to be plausible. -- Best Regards, Jim Manico GIAC GSEC Professional, Sun Certified Java Programmer jim@xxxxxxxxxx 808.652.3805
