How do you protect against specific CSRF attack

Question

I am going trough the OWASP Top 10 list of 2007 and 2010.

I stumbled upon Cross Site Request Forgery (CSRF) this is often called session riding as you let the user usee his session to fulfill your wishes.

Now a solution to this is adding a token to every url and this token is checked for every link.

For example to vote on product x the url would be:

'http://mysite.com?token=HVBKJNKL'

This looks like a solid solution to because a hacker can not guess the token.

But I was thinking of the following scenario(I do not know if it is possible):

You create a website with an hidden iFrame or div. After that you can load my website in it either using just the normal iFrame or ajax.

When you have my website loaded hidden inside your website, and the user has a stored session, the following can be done. You can retrieve the token from the URLS, and still do all the actions needed.

Is it possible to do something like this. Or is it not possible to do this cross domain.

Answer 1

The attack that you are describing is a clear violation of the Same Origin Policy. , iframe's do not inherit privileges in this way. Many bypasses to the same origin policy have been discovered. The only way these issues get fixed is by people asking questions like this. I urge you to try and write code to bypass the issue, even if it fails. The worst case is you'll learn something important, the best case you'll find an issue, post it to bugtraq, and trow a party :). Oah and everyone will be safer for the bug fix.

XSS can be used to bypass the protection provided by the Same Origin Policy for a specific vulnerable site. An XSS vulnerability can be used to read the XSRF token using XmlHttpRequest. Here is an exploit that wrote that does this.

Answer 2

That scenario isn't really possibly because while they could frame to http://mysite.com, they would need the token to make it frame to http://mysite.com?token=HVBKJNKL. And if they have the token then you aren't safe anyways.