Guess what will happen if you add an image like below in your html page:

<img src=”http://mail.google.com/mail/?logout&hl=en”  />

It does not appear in page, but your google account in another window or another tab will get logoff. Now an external website could logout you from your gmail or orkut.

IF you coded your website to delete a photo or object from the website, like this: www.domainname.com/photos/delete?id=221, you may think , since you are checking user authentication at server side, no one else can delete your file. But what if you are logged in one tab and in the second tab, you are loading another website (of hacker or attacker), he can place lots of hidden images with src = www.domainname.com/photos/delete?id=22 ( he can try with ids from 0 to 1000 or 10,000, and anyone of them may be your object)

Here the authentication is okay , because the cookies and session is already set in another tab, and it affects (update or delete) your content.

Those who think , I use POST method , so it is safe. Sorry, you are wrong. A javascript can also simulate a post method, and by using this, an external website can update your form (For example they can run a form submission for changing the email which you registered with and later they can reset password to hack your account)

It won’t happens if you use captcha. But for all forms it is very hard to use CAPTCHA everywhere. You can solve this attack using additional parameter (some string combination which is generated randomly) along with GET url or POST form submission.

For example, check the url to delete a mail in gmail.

http://mail.google.com/mail/?ui=2&ik=42e598c952&at=xn3j2ufyx273muje67ot1fsxsnbmnl&
view=up&act=tr&rt=j&search=inbox

There is some extra string alone with useful information as parameter. So an external application cannot predict the exact url to delete a particular mail, so img with src= url fails here.

Same thing is also needed in POST method. Add one hidden field for random string and check the string before updating into database from Server.

This problem is called CSRF – Cross Site Request Forgery

Thanks
Sajith

Tags: cookie, csrf, get, gmail, hack, hacker, post, safety, security, session, web application

A normal html / web developer must be femilered with cookies and sessions. In normal case the cookie set by one browser cannot be access through another browser. Each browsers have its own space to store the cookie value. Thats why when you login your email account from one browser, if you go another browser , non of your preference will be available. This is the case of normal cookies.

HTTP cookies, or more commonly referred to as Web cookies, tracking cookies or just cookies, are parcels of text sent by a server to a web browser and then sent back unchanged by the browser each time it accesses that server. HTTP cookies are used for authenticating, tracking, and maintaining specific information about users, such as site preferences or the contents of their electronic shopping carts. The term “cookie” is derived from “magic cookie,” a well-known concept in UNIX computing which inspired both the idea and the name of HTTP cookies – Wikipedia

But what will do if you want to set a cookie which is to be accessed from different browsers , ie mozilla, safari, opera ,internet explorer share same cookie ??

Come back to the case of shock wave flie (swf ) or flash files. They also have privillages to set cookies in browser. Like html, it also have all the features in client side. Consider the cookie setting mechanism of a flash file. It is not on different places for different browsers. It is on a common file on your computer and no matter what the browser.

Think this thing also javascript can access flash object via normal javascript functions if swf provides provision for that. Then when rethink the whole stuff, if you set a cookie through flash , you can access it from any browser.

See this post: http://www.nuff-respec.com/technology/cross-browser-cookies-with-flash

In this post Mr. Daniel Bulli explains it detaily. He is the big man here.

also see this link: http://www.ts0.com/crosscookie/example.html

A live example for cross browser cookie. Both of the sites provide source code of their implementation.

I also uploaded the source code as a backup. Download it from here:

Tags: cookie, cross browser, flash, swf