Cross-site authentication attack

from Wikipedia, the free encyclopedia

A cross-site authentication attack ( XSA for short ) is an attack against a web application that allows an attacker to spy on someone else's password . This is a form of cross-site request forgery .

This behavior can be exploited if a web forum , a weblog or similar system allows the inclusion of images by untrustworthy users. An attacker binds to one any image in a post, which by the Web server through HTTP Auth is protected. When a user calls up the post, their web browser asks them to enter a user / password combination, which can then be saved by the attacker's web server.

However, this vulnerability requires the user to be tricked into entering a username and password. The password query does not appear as an HTML form, as is customary when logging into a (forum) website, but in a separate window, and is therefore noticeable. In the case of a website that normally does not require passwords, it is less likely that the user will enter a combination of username and password, and the attacker will then not know what this combination is for.

Cross-site authentication attacks are favored by browsers that do not display the name of the website requesting the password clearly enough in the password dialog.

protection

There are several ways to protect yourself against these types of attacks:

  • The service provider can ensure that no images or other content from external sources can be integrated into the website. This goes hand in hand with preventing cross-site scripting .
  • The browser manufacturer can issue clear warnings in the event of a suspected attack. Another possibility is to fundamentally prevent the authentication mechanisms for embedded elements from external web servers.
  • By paying attention, the user can determine whether the website is behaving abnormally. If the password is normally requested in a form, it is suspicious if a new window suddenly appears.

Web links