Security Advisory 05 – 012 – Session Riding/Cross Site Request Forgery Attack
Original Bugtraq posting 08 April 2005, Resend 19 April 2005.
This vulnerability affects EBay the auction websites.
Vulnerability discovery and development:
This issue was conceived by James Fisher having read the paper “Session Riding” which was posted to the web application security mailing list 15th December 2005. The issue was further researched and developed to the point of Proof of Concept by Dave Armstrong with additional input from Martin Murfitt.
Successful exploitation of this issue allows malicious users to list an item for auction in such a way that any subsequent user who views the item automatically places a bid for that item with the value being bid under the control of the malicious user. This does however require that the user who views the item has logged into eBay.
This issue affects the eBay auction web sites.
All that is required to expose this issue is placing an item listing for auction on eBay and adding a link to an off-site image. This link in reality would point to a CGI script that instead of returning an image returns a (HTTP 302) redirect response, referring the user back to the eBay URL to automatically submit a bid.
An example of a typical URL:
Users viewing the page that have not logged in simply receive a broken image, while logged in users silently place a bid on the item. They will remain unaware they have taken this action until the confirmation email is received or the user either refreshes the item or otherwise checks the items they have bid upon. This issue has not been tested with the “Buy Now” functionality.
Additionally, although the EBay site normally uses a POST request with what appear to be session specific values to submit bids, it was discovered that removing these session values and changing the method to GET still generated a valid request that was accepted by the server.
Items placed for auction can be controlled to the point of placing incremental bids, (value at the attackers discretion) without the users consent. This does however pose a minimal risk, as users are informed via email of their bid.
Portcullis have working POC code for this issue, however, this will not be published within this advisory until eBay has resolved the issue.
EBay were notified first on 22 December 2004 via email to the support mail address and other standard email addresses such as postmaster, security, issues, bugs, abuse etc. The standard web contact form was completed and sent on 23 December 2004. Further emails were sent during January 2005, February 2005 and March 2005.
No response has been received.