[Owasp-delhi] Please clarify

Gunwant Singh gunwant.s at gmail.com
Thu Feb 5 12:17:30 EST 2009


Thanks for the info Dhruv.

Another thing I want to add to the point is this. In my last session, a guy
(Sorry for not remembering the name, my apology) put up an interesting
question.The question was that in order to exploit the CSRF attack, we know
we can craft a GET request via a URL as mentioned in Dhruv's email  But, in
cases wherein POST requests are involved. For example, the request that
changes the password, or transfers the money from a/c to the other. In such
cases *forms* are involved. How come an attacker would socially engineer a
user to fill the form to change his password to what the attacker wants :)

The answer to this is:
The attacker crafts a page which consists of the following code:

<html>
<head>
<script language="JavaScript">
function fnsubmit()
{
window.document.form1.submit();
return;
}
</script>
</head>*

*<body *onload="return fnsubmit()"*>
<form name="form1" action="*changepassword.php*" onload="submit" />
<input type="text" name="username" value="theusername" />
<input type="text" name="password" value="*atckrspass*" />
<input type="submit" value="Click to Submit" />
</form>
</body>
</html>

So once the user clicks the link of the page containing this code, the form
gets submitted automatically with NO user intervention.

Enjoy!

-Gunwant






On Thu, Feb 5, 2009 at 6:57 PM, Soi, Dhruv <dhruv.soi at owasp.org> wrote:

>  CSRF is just to force a user execute some command on the server in
> context of his already authenticated session. User must be logged into the
> application to make the CSRF work. This simple link can make CSRF work à
> http://www.shopping.com/purchase.php?item=car&confirmed=1
>
> It doesn't work if there is new browser instance, as in that case session
> won't be valid but it can work in browser TAB. Attendees of last meeting can
> recall Gunwant's discussion on the same point about Chrome browser and IE 8.
>
>
>
> Whereas, till the time you don't want to steal client's session data, XSS
> doesn't really rely on active session to do the trick. Payload would be
> entirely different in this case, like à http://www.shopping.com/purchase.php?item=<script>alert("Mess
> with the best, die like the rest");</script>&confirmed=0<http://www.shopping.com/purchase.php?item=%3cscript%3ealert%28%E2%80%9CMess%20with%20the%20best,%20die%20like%20the%20rest%E2%80%9D%29%3c/script%3e&confirmed=0>
>
>
>
> CSRF has nothing to do with XSS but when CSRF is launched with XSS it can
> make a difference.
>
>
>
> If someone hasn't already read about MySpace Samy story, visit this link à
> http://namb.la/popular/  (No CSRF in the link) J
>
>
>
> Many Thanks,
>
> Dhruv
>
>
>  ------------------------------
>
> *From:* owasp-delhi-bounces at lists.owasp.org [mailto:
> owasp-delhi-bounces at lists.owasp.org] *On Behalf Of *Gunwant Singh
> *Sent:* Thursday, February 05, 2009 11:34 AM
> *To:* Bipin Upadhyay
> *Cc:* owasp-delhi at lists.owasp.org
> *Subject:* Re: [Owasp-delhi] Please clarify
>
>
>
> No, I do not agree with that.
>
> On Wed, Feb 4, 2009 at 11:54 PM, Bipin Upadhyay <muxical.geek at gmail.com>
> wrote:
>
> Gunwant Singh wrote:
>
> Both are independent of each other. An application may be vulnerable to one
> of the attacks but not the other at the same time.
>
> I think there's a slight mistake here. An app vulnerable to XSS is
> automatically vulnerable to CSRF.
>
>
> For a CSRF attack, an application does not need to be susceptible to XSS
> attack. Often, to execute an XSS attack, one needs to include a script in
> the context of the application. So if you can incorporate some scripting you
> can execute XSS. Although there are many variations to this, which is
> another story. For CSRF, one needs to execute code (not necessarily a
> script)  in the authentication context of the user that changes the state of
> the application. For example: Changing password, transfering money from his
> a/c to the attackers, etc.
>
> Hope that helps. Let me know if any further clarification is required.
>
> Regards,
> Gunwant
>
> On Mon, Feb 2, 2009 at 4:35 PM, Parmendra Sharma <s.parmendra at gmail.com>
> wrote:
>
> Hello All,
>
>
>
> Please clarify the belowmentioned point:
>
>
>
> "XSS flaws is susceptible to CSRF because a CSRF attack can exploit the XSS
> flaw to steal any non-automatically submitted credential that might be in
> place to protect against a CSRF attack"
>
> Please mention the scenerio where both the vulnerabilities are in
> action....
> --
> Thanks and Regards:
>
> Parmendra Sharma
> Indian Computer Emergency Response Team (CERT-In)
> Ministry of Information Technology
> Government of India
> 6 C.G.O Complex
> Lodhi Road
> New Delhi
>
>
> _______________________________________________
> Owasp-delhi mailing list
> Owasp-delhi at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-delhi
>
>
>
>
> --
> Gunwant Singh
>
>
>
>
> ------------------------------
>
>
>
> _______________________________________________
>
> Owasp-delhi mailing list
>
> Owasp-delhi at lists.owasp.org
>
> https://lists.owasp.org/mailman/listinfo/owasp-delhi
>
>
>
> --Bipin Upadhyay.
>
>
>
>
> --
> Gunwant Singh
>



-- 
Gunwant Singh
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-delhi/attachments/20090205/8dba6ed6/attachment.html 


More information about the Owasp-delhi mailing list