[OWASP-Delhi] Anti-CSRF token in cookie and post form

Vaibhav Gupta vaibhav12jan at gmail.com
Sat Jul 4 11:52:10 UTC 2015


Hello all,

I recently encountered an application which was having its random anti-csrf
token in cookie and the same random token was sent in the POST form. If I
tamper the cookie and the post form anti-CSRF token with the same value,
server will validate my request.

Example:

POST /account/delete
HOST: XYZ
Cookie: CSRF_Token=123456

account_id=10101&CSRF_Token=123456

Now the problem is that we can not manipulate cookie value with Javascript
and hence cannot fiddle with the anti-csrf token present in cookie. Is
there a way to create a working exploit?

Apologies if I am unable to clear the scenario.

Thanks
Vaibhav
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-delhi/attachments/20150704/5c989e0f/attachment.html>


More information about the OWASP-Delhi mailing list