Open a Page, Go To Jail
Inspired by RSnake article titled : “Click a Link, Go To Jail”, I wonder if we could go to jail by opening a page? I am not sure whether that will gonna happened or not. But my conclusion says maybe Yes! CSRF will be the answer.
I often listen to Era Baru FM Radio especially programs about Human Rights in China. Example : If you (ever or are) practicing in Falun Gong exercise in China, you’ll be arrested (jailed) by the police and punish severely. Or if you spreading information about any banned content (like Falun Gong, Liberty, etc), you also will be dealt by the local police. Even if you do a search in Baidu.com using the keyword “falun dafa”, you’ll got a temporary ban by the China Firewall. Ridiculous? (What the hell is the Internet for if the information we can have is very limited?? WtF!) If you don’t believe me, then you can try it yourself!! (Wait a moment, don’t try this first. I’ll show you an example in the story below!)
OK enough for the bullshit! Here comes the interested part where CSRF is going to play it’s role 
In order to become the player in my story, first you need to open Baidu.com and search using the keyword “Zoiz” and come back to my blog asap!
Done? You got the result page right? Ok, now visit the link below :
http://zoiz.web.id/lab/csrf_againts_china_firewall.html
Ok, now open Baidu.com again and see what happened?
Now you get what I mean? 
The point is if someone framing you using a CSRF technique, will you be arrested? Well of course the example above will not make you go to jail, but what if the CSRF contain a RFI link to a commercial website or anything far more dangerous? What if an attacker that trick users to open a page containing this kind of CSRF and let users leave visit log everywhere to let him hide his own identity? (YS Idea )
I don’t know the answer, and I’ll just point it out and let you guys discuss about this
No comments yet.