[Owasp-cincinnati] FW: Demonstrate CSRF with Web app only accept POST

Marco M. Morana marco.m.morana at gmail.com
Fri Jun 20 18:57:25 EDT 2008


Yan

I think the threat scenario for CSRF that you should try to test is whether
you can have a form that executes a POST without the user knowing that
exploits a previously authenticated session token. Let say Form A issues a
POST and the session ID does not change, the same session can be used to
issue a post with a malicious form B (the pages need to be in the same
browser process, that is using the same IExplore.exe). The fact that the
user does not notice the error should be because you embed the POST in a 1X1
pixel image tag. The fact that the POST executes could be confirmed by
trapping the HTTP response via a web proxy like paros or webscarab like in
the webgoat lesson.

I have not tried this but I would recommend you try the CSRF lesson of
webgoat against a web a site that has a well know CSRF vulnerability such as
Foundstone hacme books for example, using the same testing technique.

I think you can also try again OWASP CSRFTester or this tool here
http://shiflett.org/blog/2007/jul/csrf-redirector from Chris Shiflett. Chris
can also be contacted at Chris at shiflett.org

Regards

Marco

-----Original Message-----
From: Zhou, Yan [mailto:yzhou at medplus.com] 
Sent: Friday, June 20, 2008 2:20 PM
To: Marco Morana
Subject: RE: [Owasp-cincinnati] Demonstrate CSRF with Web app only accept
POST

Marco, 

It does not work, 

Suppose page B does an automatic POST once loaded, and page A contains
<img> tag that links to page B. 

When you load page A in browser, the form is not submitted in page B. I
do not know HTTP well enough to say why that is the case, but I do not
believe the form will be submitted "indirectly" in this fashion. 

Any idea how I can do CSRF with a POST only Web. App, and without user
notice the before and after?

Thanks, 
Yan










Confidentiality Notice: The information contained in this electronic
transmission is confidential and may be legally privileged. It is intended
only for the addressee(s) named above. If you are not an intended recipient,
be aware that any disclosure, copying, distribution or use of the
information contained in this transmission is prohibited and may be
unlawful. If you have received this transmission in error, please notify us
by telephone (513) 229-5500 or by email (postmaster at MedPlus.com). After
replying, please erase it from your computer system.





More information about the Owasp-cincinnati mailing list