[OWASP-Delhi] Anti-CSRF token in cookie and post form

Minhaz A V minhazav at gmail.com
Sat Jul 4 12:17:27 UTC 2015


Not one I can think of as the whole point of using a random nonce here is
based on same origin policy of the cookie.

Also there is possiblity the validation on server side could be between
post variable and server side cookie rather than one sent by client. This
would make tampering request useless.
On 4 Jul 2015 17:29, "Vaibhav Gupta" <vaibhav12jan at gmail.com> wrote:

> Hello all,
>
> I recently encountered an application which was having its random
> anti-csrf token in cookie and the same random token was sent in the POST
> form. If I tamper the cookie and the post form anti-CSRF token with the
> same value, server will validate my request.
>
> Example:
>
> POST /account/delete
> HOST: XYZ
> Cookie: CSRF_Token=123456
>
> account_id=10101&CSRF_Token=123456
>
> Now the problem is that we can not manipulate cookie value with Javascript
> and hence cannot fiddle with the anti-csrf token present in cookie. Is
> there a way to create a working exploit?
>
> Apologies if I am unable to clear the scenario.
>
> Thanks
> Vaibhav
>
> _______________________________________________
> OWASP-Delhi mailing list
> OWASP-Delhi at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-delhi
> LinkedIn Group: https://www.linkedin.com/groups?gid=89270
> Twitter: https://twitter.com/OWASPdelhi
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-delhi/attachments/20150704/8e2aab7c/attachment.html>


More information about the OWASP-Delhi mailing list