Index ¦ Archives ¦ Atom

An excellent demonstration of Cross-Site Request Forgery

A few weeks ago one of the people I follow on GitHub stared the superlogout repository.

Intrigued by the name I went to check it out and found a simple site that logs you out of a bunch of services. For those that want to try it, it's available at the way it works is pretty straight forward, it uses JavaScript to GET a bunch of urls that are the logout pages for services (or in the case of YouTube, DeviantART and LiveJournal it's a POST).

This an excellent demonstration of how Cross-Site Request Forgery works. In this case it's made clear that they are logging you out of the service, but they don't have to show you. I could embed the same JavaScript in my site but not show anything, people would just be mysteriously logged out of their GMail after reading my blog. Further I could use that along with my analytics to record which services visitors were logged into when they visited.

Logging someone out is not that dangerous but it's easy to see what could be done without CSRF protection. If they could post to any page on those sites with JavaScript, they could buy things on Amazon, bid on auctions on eBay, send emails with GMail and so on.

It's not entirely clear to me whether this is a parody site showing the power of CSRF or if it's genuinely meant to be a service. But my feeling is that it's meant to poke fun at the insecurities, and demonstrate that CSRF protection is needed on all pages, including logout pages and not just on pages where you can post data.

Creative Commons License
Content on this site is licensed under a Creative Commons Attribution 4.0 International License.
Built using Pelican. Based on a theme by Giulio Fidente on github.