I've just started reading up on CSRF attacks, and I'm curious about how checking the HTTP Origin Header actually works. I know that there's some issues about it not working on older browsers, but for the sake of simplicity assume that isn't the case here.
According to this we basically check if the "source origin" is the same as the "target origin".
So if I'm a Chase.com server, I'll say that my "target origin" will always be
http/Chase/port
(based on this definition of HTTP Origin Header).
So suppose I open an email with an image tag in it that points to the uri:
http://ift.tt/2dWzvJZ
From this uri, the "source origin" is derived:
http/?/port
I put the question mark because I'm assuming the host is going to somehow be different. But if my image tag directly specifies 'Chase.com', how would it be anything other than 'Chase'? Wouldn't that be the equivalent of just typing
http://ift.tt/2dWzvJZ
into the browser and hitting enter? BTW, what would happen if you did do that while checking HTTP Origin Headers -- would the transaction still go through?
Aucun commentaire:
Enregistrer un commentaire