[OWASP-Delhi] Anti-CSRF token in cookie and post form

Minhaz A V minhazav at gmail.com
Sat Jul 4 18:02:49 UTC 2015


:D I meant session variables... They can be referred to as server side
cookies I believe.
On 4 Jul 2015 20:22, <go4kam at gmail.com> wrote:

> ‎A little off the hook here. But I want to ask, "Is there something really
> exists  like server-side cookies?"
>
> Sorry if that's a stupid question. I am not much into web app but
> conceptually I find it difficult to digest something call as server-side
> cookie.
>
> Cheers!
> Kamal
>
>
>   *From: *Minhaz A V
> *Sent: *Saturday 4 July 2015 8:15 PM
> *To: *Vaibhav Gupta
> *Cc: *owasp-delhi at lists.owasp.org
> *Subject: *Re: [OWASP-Delhi] Anti-CSRF token in cookie and post form
>
> Not one I can think of as the whole point of using a random nonce here is
> based on same origin policy of the cookie.
>
> Also there is possiblity the validation on server side could be between
> post variable and server side cookie rather than one sent by client. This
> would make tampering request useless.
> On 4 Jul 2015 17:29, "Vaibhav Gupta" <vaibhav12jan at gmail.com> wrote:
>
>> Hello all,
>>
>> I recently encountered an application which was having its random
>> anti-csrf token in cookie and the same random token was sent in the POST
>> form. If I tamper the cookie and the post form anti-CSRF token with the
>> same value, server will validate my request.
>>
>> Example:
>>
>> POST /account/delete
>> HOST: XYZ
>> Cookie: CSRF_Token=123456
>>
>> account_id=10101&CSRF_Token=123456
>>
>> Now the problem is that we can not manipulate cookie value with
>> Javascript and hence cannot fiddle with the anti-csrf token present in
>> cookie. Is there a way to create a working exploit?
>>
>> Apologies if I am unable to clear the scenario.
>>
>> Thanks
>> Vaibhav
>>
>> _______________________________________________
>> OWASP-Delhi mailing list
>> OWASP-Delhi at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-delhi
>> LinkedIn Group: https://www.linkedin.com/groups?gid=89270
>> Twitter: https://twitter.com/OWASPdelhi
>>
>
>
> _______________________________________________
> OWASP-Delhi mailing list
> OWASP-Delhi at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-delhi
> LinkedIn Group: https://www.linkedin.com/groups?gid=89270
> Twitter: https://twitter.com/OWASPdelhi
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-delhi/attachments/20150704/7d94a8e7/attachment-0001.html>


More information about the OWASP-Delhi mailing list