Watch Out For Suspicius Links
As part of our recent research on CSRF attacks, Russ McRee found a vulnerability in the Linksys WRT160N router. Sadly, this wasn't a huge shock to us, but what was surprising was the response from Linksys:
As ridiculous as the entire response is, I'd like to focus on the "Don't click suspicious links" bit. Most users will click on any link you throw at them, particularly from link-heavy social sites such as Twitter. In fact, if you clicked through to this page from my Twitter post, the page you're currently on should be at "http://skeptikal.org/a_very_suspicious_link."
Why did you click it?
Because you trust me. And you trust Twitter. And you trust my hosting company. And your DNS servers. And my DNS servers. And TinyURL.
I could rant on this topic for a while, but I know I'd be preaching to the choir. Don't trust any links, anywhere. Especially don't trust the ones from TinyURL, bit.ly, or any other URL shortening service. You have no way of knowing whether a site is malicious or not until you load it into your browser. Even then, it's doubtful that you'd ever notice. You're probably not a normal user, but most people wouldn't ever recognize real malware for what it is, especially if it's properly obfuscated.
In theory, a goal of never clicking a malicious link is impossible to achieve. In practice though, many malicious links are fairly easy to recognize if you just look at the URL. This is why sites like TinyURL allow you to preview links before being redirected to them. Earlier today, @OWASP_podcast sent out the following tweet:
It's a good idea, but this is clearly a URL that modifies user preferences based on GET variables, and I couldn't help noticing that the same preference could be disabled with a bit of CSRF:
I'd call this a failure on TinyURL's part, but even if you did preview the URL, there's no guarantee the seemingly innocent link won't have malicious content, redirects, cross-site scripting, HTML injection holes, poorly configured DNS, poorly coded flash files, content ownership problems, compromised FTP accounts or other issues.
Just keep that in mind- previewing a link is a convenience, not a security feature.
We can’t reasonably prevent CSRF's without bogging down our code. The compromise we had made here is to have a timeout on the web interface, so users are logged out after 10 mins of inactivity. We have also advised users to not click on suspicious links while logged in to the web interface, or close the web interface as soon as they are finished configuring the router
As ridiculous as the entire response is, I'd like to focus on the "Don't click suspicious links" bit. Most users will click on any link you throw at them, particularly from link-heavy social sites such as Twitter. In fact, if you clicked through to this page from my Twitter post, the page you're currently on should be at "http://skeptikal.org/a_very_suspicious_link."
Why did you click it?
Because you trust me. And you trust Twitter. And you trust my hosting company. And your DNS servers. And my DNS servers. And TinyURL.
I could rant on this topic for a while, but I know I'd be preaching to the choir. Don't trust any links, anywhere. Especially don't trust the ones from TinyURL, bit.ly, or any other URL shortening service. You have no way of knowing whether a site is malicious or not until you load it into your browser. Even then, it's doubtful that you'd ever notice. You're probably not a normal user, but most people wouldn't ever recognize real malware for what it is, especially if it's properly obfuscated.
In theory, a goal of never clicking a malicious link is impossible to achieve. In practice though, many malicious links are fairly easy to recognize if you just look at the URL. This is why sites like TinyURL allow you to preview links before being redirected to them. Earlier today, @OWASP_podcast sent out the following tweet:
http://tinyurl.com/preview.php?enable=1 will force all TinyURLs to appear in preview mode on your machine.
It's a good idea, but this is clearly a URL that modifies user preferences based on GET variables, and I couldn't help noticing that the same preference could be disabled with a bit of CSRF:
<img src="http://tinyurl.com/preview.php?disable=1">I'd call this a failure on TinyURL's part, but even if you did preview the URL, there's no guarantee the seemingly innocent link won't have malicious content, redirects, cross-site scripting, HTML injection holes, poorly configured DNS, poorly coded flash files, content ownership problems, compromised FTP accounts or other issues.
Just keep that in mind- previewing a link is a convenience, not a security feature.
Labels: CSRF, URL Shortening
posted by mckt at
11:45 AM
8 Comments:
Good point. I read a lot of security blogs and never hesitate to click the link. URL shortening service... different story, those I try to stay away from. Nice article which hits the target well.
By
cconniejean, At
June 15, 2009 12:47 PM
News Flash: Cross Site Scripting (XSS) is no longer an issue, Just dont click on suspicious links.
By
Declare.James, At
June 15, 2009 2:36 PM
wait.. what? XSS in what exactly is no longer an issue? Did you genie come 'round and *POOF* all web apps were protected against XSS? hrm?
By
Rob Fuller (mubix), At
June 16, 2009 11:32 AM
Or use a secured URL shortener such as Safe.mn (http://safe.mn/) that tests each link extensively for security risks.
By
Julien Sobrier, At
June 16, 2009 12:55 PM
You mean this one? http://safe.mn/?url=%22%3E%3Cscript%3Ealert(1337)%3C/script%3E
By
mckt, At
June 16, 2009 1:06 PM
Thou shall not take the name of http://www.twitter.com/OWASP_podcast in vain?
By
Jim Manico, At
June 17, 2009 10:57 PM
Just wanted to say I love your blog. You don't hold back any punches when you point out that TinyURL's preview feature can be disabled with CSRF or that Safe.mn is vulnerable to XSS.
Please keep this sort of stuff coming, I think it is the only way to make progress and raise awareness of the current state of security.
By
nickhacks, At
June 19, 2009 10:21 AM
@mckt good catch, fixed
By
Julien Sobrier, At
June 25, 2009 10:08 PM
Post a Comment
Subscribe to Post Comments [Atom]
<< Home