[Owasp-cincinnati] Demonstrate CSRF with Web app only accept POST
Marco M. Morana
marco.m.morana at gmail.com
Fri Jun 20 18:29:10 EDT 2008
Correct, since the request is forget in a 1x1 pixel image tag that causes no
visible error to the user.
From: owasp-cincinnati-bounces at lists.owasp.org
[mailto:owasp-cincinnati-bounces at lists.owasp.org] On Behalf Of Joe Combs
Sent: Friday, June 20, 2008 5:45 PM
To: Zhou, Yan; owasp-cincinnati at lists.owasp.org
Subject: Re: [Owasp-cincinnati] Demonstrate CSRF with Web app only accept
If you borrow a technique from the ajax crowd and do your submit in
your demo. The app could then silently swallow the result returned by
the form submission.
Zhou, Yan wrote:
> Hi there,
> I want to demonstrate CSRF with a vulnerable Web application.
> Here is the idea, the user first login to the vulnerable web app (it
> only accepts POST), and then the user will click on an "attack" web
> page, which does an automatic form submit. That completes CSRF
> exercise. However, once the form is submitted, the user will notice
> that because the screen will have changed.
> How would you hide this so that user cannot see the result of form
> submit. I have tried page redirect but is not working as I expected.
> The problem seems to be: once the form is submitted, I cannot rely on
> any code after it being executed (simply because the server will now
> respond with a different page) ..
> *Confidentiality Notice:* The information contained in this electronic
> transmission is confidential and may be legally privileged. It is
> intended only for the addressee(s) named above. If you are not an
> intended recipient, be aware that any disclosure, copying,
> distribution or use of the information contained in this transmission
> is prohibited and may be unlawful. If you have received this
> transmission in error, please notify us by telephone (513) 229-5500 or
> by email (postmaster at MedPlus.com). After replying, please erase it
> from your computer system.
> Owasp-cincinnati mailing list
> Owasp-cincinnati at lists.owasp.org
Owasp-cincinnati mailing list
Owasp-cincinnati at lists.owasp.org
More information about the Owasp-cincinnati