Session Destroyer: Automatic Webapp Session Invalidation

It is midnight. You are browsing the web. Everything seems fine. Unbeknownst to you, a rogue advertisement composed of malware is displayed on a popular website and is attempting to steal your banking credentials. What can you do?

This sort of trickery happens every day and most people don't know when they are being exploited. If you run Linux, Firefox, and some popular security addon tools, then you are probably protected from most of these attacks. However, there is always the possibility that you are not! So, it is better to err on the side of safety :-) Did you know that most web attacks against users occur during the holiday shopping season? It is a sad, but true, fact.

First, let's explain a few terms to bring everyone up to speed: cookies, sessions, malware, and CSRF. Cookies are used to authenticate a user to a website. Cookies usually store information that identify the user or their account. Sessions are active states maintained between users and a website, usually uniquely identified by a session identifier or SID. Malware is any type of computerized software, hardware, or firmware that causes harm. In this context, we will limit our focus to malicious web programming. Cross-Site Request Forgery is a malware technique that can be utilized to exploit an authenticated web session. An illustration is given below.

Now, CSRF is utilized by an evil website to instruct a victim's web browser to contact, for instance, their bank. What if a normal GET request looked like this https://www.mybank.com/secure/action/closemyaccount?authenticated=true. Perhaps the bank in question presents this as a link on their website so that, if a user really desires, they can close their account with one click. It sounds ridiculous, but you would be surprised how many CSRF examples exist on the web that are just as dangerous. Now, such a malicious request would only work if the victim was logged into the website.

Usually, people close their browser tabs and forgot to logout of their bank website using their official "LOGOUT" button. Well, lets say you spend five minutes checking your account balance, close the tab, and then visit evilwebsite.com two minutes later. If evilwebsite.com implements a CSRF attack against your bank with the GET request above, your bank account would be closed without your authorization. Most banks implement an automatic session timeout so that this cannot happen too easily, so don't be too alarmed. However, most other websites are not as strict, especially if you click that "Remember Me" option before logging in :-)

So, how can we protect ourselves? Well, what if we turned the CSRF attack around and used it for good? Well, I now present you with Session Destroyer. This is a concoction I coded up a few days ago when I got bored to protect against things like click-jacking and other types of malicious web attacks. Session Destroyer works by requesting the logout URLs for many Alexa Top 100 websites via IMG SRC HTML tags. When your web browser parses these tags, it will initiate a GET request to the URL and attempt to display the image. Since the URL does not have any image data located there, it will merely fail, but by that time the webapp session has already been destroyed. Code is below.

gensd.pl:

#!/usr/bin/env perl

use warnings;
use strict;

open URLS, "urls.txt" or die $!;
open HTML, "+>", "session.destroyer.html" or die $!;

print HTML "<html><head><title>Session Destroyer: Invalidate your webapp logins with ease!</title></head>".
"<body onload=location.reload(true) bgcolor=#000000>".
"<font color=red>Please wait while we invalidate your webapp sessions...</font>".
"<br/><br/><img src=http://img.photobucket.com/albums/v210/undeniablynikki/Gifs/rickroll.gif>";

while (<URLS>) {
    chomp($_);
    print HTML "<img alt=' ' src=";
    print HTML $_;
    print HTML ">";
}

print HTML "<br/><br/><font color=blue>Email <a href=mailto:kristian.hermansen\@gmail.com>".
"Kristian Erik Hermansen</a> with suggestions/updates</font></body></html>";
close HTML or die $!;
close URLS or die $!;

In the gensd.pl script above, we are merely reading an input file named urls.txt and using it to create an output HTML file named session.destroyer.html. We utilize the IMG ALT attribute to hide the broken image icon from some browsers so that the rendering doesn't appear so ugly, but we do include a dancing Rick Astley for fun :-) You can append your own URLs to the file below. You may notice that some sites are security-minded and include a nonce, or one-time security token, in order to complete their web requests. One site, for instance, is Facebook. Your mileage may vary with them, because you would need to know the nonce value a priori.

urls.txt:

https://mail.google.com/mail/?logout
http://mail.google.com/mail/?logout
https://login.yahoo.com/config/login?logout=1
http://login.yahoo.com/config/login?logout=1
http://www.youtube.com/index?action_logout=1
http://login.live.com/logout.srf
http://www.facebook.com/logout.php?h=23053dfed30ca2c9abebd6a963406b5c
http://www.myspace.com/index.cfm?fuseaction=signout
http://en.wikipedia.org/w/index.php?title=Special:UserLogout
http://www.blogger.com/logout.g
http://passport.baidu.com/?logout
http://www.google.com/accounts/Logout
http://www.amazon.com/gp/flex/sign-out.html
http://rapidshare.com/cgi-bin/premium.cgi?logout=1
http://www.hi5.com/friend/logoff.do?timestamp=-3381677065230617903&js=ac...
http://signin.ebay.com/ws/eBayISAPI.dll?SignOutConfirm
http://files.mail.ru/cgi-bin/logout
http://id.fc2.com/logout.php
http://wordpress.com/wp-login.php?action=logout
https://my.screenname.aol.com/_cqr/logout/mcLogout.psp
http://passport.yandex.ru/passport?mode=logout
http://www.flickr.com/logout.gne?magic_cookie=10745f35ab5fcf44d248f9af28...
http://photobucket.com/logout
http://www.orkut.com.br/GLogin.aspx?cmd=logout
https://accounts.craigslist.org/login/logout
http://www.skyrock.com/m/account/logout.php
http://www.friendster.com/logout.php
http://dev.naver.com/account/logout.php
http://my.imageshack.us/registration/logout.php
http://www.dailymotion.com/logout
http://login.rediff.com/bn/logout.cgi
http://r.espn.go.com/espn/logout
http://www.tagged.com/logout.html
http://www.livejournal.com/logout.bml
http://www.mininova.org/logout
http://membership.about.com/memreg?action=logoff
http://account.fotolog.com/logout
http://www.nytimes.com/logout
https://login.comcast.net/logout
https://secure.gamespot.com/rps/misc/log_out.php
http://thepiratebay.org/logout
http://www.imeem.com/logout/
https://addons.mozilla.org/en-US/firefox/users/logout
https://onlineeast3.bankofamerica.com/cgi-bin/ias/A/3/GotoLogout
https://www.linkedin.com/secure/login?session_full_logout
http://pages.google.com/logout
http://friendfeed.com/account/logout
https://www.google.com/calendar/logout
http://www.grandcentral.com/account/signout/
http://www.linuxjournal.com/logout

One cool idea might be to create a bookmark to the final HTML file and to visit it each time you want to kill all your web sessions. For instance, you may want to do this every so often while browsing, or perhaps every time you close or open your web browser. If you want to play a prank, start including this code in your blog postings via an IFRAME tag, and then all your visitors will be logged out of GMail, Yahoo, etc. Makes a great April Fool's joke, perhaps.

You can view a live demonstration of this at my website below:
!!!WARNING!!! -- CLICKING THIS LINK MAY RESULT IN LOSS OF WEB APPLICATION DATA OR ANY EMAILS YOU HAVE IN PROGRESS
http://kristian.hermansen.googlepages.com/session.destroyer.html

Mozilla Firefox does not protect you against this attack by default. However, Google Chrome supposedly does because they implement each tab in it's own virtual sandbox. Since Chrome is open source software, it is likely that Mozilla Firefox will add such a feature in the future. Until then, you might also try the CSRF Protector addon from Princeton.

Happy holidays and be safe!