Session Destroyer: Automatic Webapp Session Invalidation

It is midnight. You are browsing the web. Everything seems fine. Unbeknownst to you, a rogue advertisement composed of malware is displayed on a popular website and is attempting to steal your banking credentials. What can you do?

This sort of trickery happens every day and most people don't know when they are being exploited. If you run Linux, Firefox, and some popular security addon tools, then you are probably protected from most of these attacks. However, there is always the possibility that you are not! So, it is better to err on the side of safety :-) Did you know that most web attacks against users occur during the holiday shopping season? It is a sad, but true, fact.

First, let's explain a few terms to bring everyone up to speed: cookies, sessions, malware, and CSRF. Cookies are used to authenticate a user to a website. Cookies usually store information that identify the user or their account. Sessions are active states maintained between users and a website, usually uniquely identified by a session identifier or SID. Malware is any type of computerized software, hardware, or firmware that causes harm. In this context, we will limit our focus to malicious web programming. Cross-Site Request Forgery is a malware technique that can be utilized to exploit an authenticated web session. An illustration is given below.

Now, CSRF is utilized by an evil website to instruct a victim's web browser to contact, for instance, their bank. What if a normal GET request looked like this Perhaps the bank in question presents this as a link on their website so that, if a user really desires, they can close their account with one click. It sounds ridiculous, but you would be surprised how many CSRF examples exist on the web that are just as dangerous. Now, such a malicious request would only work if the victim was logged into the website.

Usually, people close their browser tabs and forgot to logout of their bank website using their official "LOGOUT" button. Well, lets say you spend five minutes checking your account balance, close the tab, and then visit two minutes later. If implements a CSRF attack against your bank with the GET request above, your bank account would be closed without your authorization. Most banks implement an automatic session timeout so that this cannot happen too easily, so don't be too alarmed. However, most other websites are not as strict, especially if you click that "Remember Me" option before logging in :-)

So, how can we protect ourselves? Well, what if we turned the CSRF attack around and used it for good? Well, I now present you with Session Destroyer. This is a concoction I coded up a few days ago when I got bored to protect against things like click-jacking and other types of malicious web attacks. Session Destroyer works by requesting the logout URLs for many Alexa Top 100 websites via IMG SRC HTML tags. When your web browser parses these tags, it will initiate a GET request to the URL and attempt to display the image. Since the URL does not have any image data located there, it will merely fail, but by that time the webapp session has already been destroyed. Code is below.

#!/usr/bin/env perl

use warnings;
use strict;

open URLS, "urls.txt" or die $!;
open HTML, "+>", "session.destroyer.html" or die $!;

print HTML "<html><head><title>Session Destroyer: Invalidate your webapp logins with ease!</title></head>".
"<body onload=location.reload(true) bgcolor=#000000>".
"<font color=red>Please wait while we invalidate your webapp sessions...</font>".
"<br/><br/><img src=>";

while (<URLS>) {
    print HTML "<img alt=' ' src=";
    print HTML $_;
    print HTML ">";

print HTML "<br/><br/><font color=blue>Email <a href=mailto:kristian.hermansen\>".
"Kristian Erik Hermansen</a> with suggestions/updates</font></body></html>";
close HTML or die $!;
close URLS or die $!;

In the script above, we are merely reading an input file named urls.txt and using it to create an output HTML file named session.destroyer.html. We utilize the IMG ALT attribute to hide the broken image icon from some browsers so that the rendering doesn't appear so ugly, but we do include a dancing Rick Astley for fun :-) You can append your own URLs to the file below. You may notice that some sites are security-minded and include a nonce, or one-time security token, in order to complete their web requests. One site, for instance, is Facebook. Your mileage may vary with them, because you would need to know the nonce value a priori.


One cool idea might be to create a bookmark to the final HTML file and to visit it each time you want to kill all your web sessions. For instance, you may want to do this every so often while browsing, or perhaps every time you close or open your web browser. If you want to play a prank, start including this code in your blog postings via an IFRAME tag, and then all your visitors will be logged out of GMail, Yahoo, etc. Makes a great April Fool's joke, perhaps.

You can view a live demonstration of this at my website below:

Mozilla Firefox does not protect you against this attack by default. However, Google Chrome supposedly does because they implement each tab in it's own virtual sandbox. Since Chrome is open source software, it is likely that Mozilla Firefox will add such a feature in the future. Until then, you might also try the CSRF Protector addon from Princeton.

Happy holidays and be safe!