[OWASP-Delhi] Anti-CSRF token in cookie and post form
Minhaz A V
minhazav at gmail.com
Sat Jul 4 18:02:49 UTC 2015
:D I meant session variables... They can be referred to as server side
cookies I believe.
On 4 Jul 2015 20:22, <go4kam at gmail.com> wrote:
> A little off the hook here. But I want to ask, "Is there something really
> exists like server-side cookies?"
> Sorry if that's a stupid question. I am not much into web app but
> conceptually I find it difficult to digest something call as server-side
> *From: *Minhaz A V
> *Sent: *Saturday 4 July 2015 8:15 PM
> *To: *Vaibhav Gupta
> *Cc: *owasp-delhi at lists.owasp.org
> *Subject: *Re: [OWASP-Delhi] Anti-CSRF token in cookie and post form
> Not one I can think of as the whole point of using a random nonce here is
> based on same origin policy of the cookie.
> Also there is possiblity the validation on server side could be between
> post variable and server side cookie rather than one sent by client. This
> would make tampering request useless.
> On 4 Jul 2015 17:29, "Vaibhav Gupta" <vaibhav12jan at gmail.com> wrote:
>> Hello all,
>> I recently encountered an application which was having its random
>> anti-csrf token in cookie and the same random token was sent in the POST
>> form. If I tamper the cookie and the post form anti-CSRF token with the
>> same value, server will validate my request.
>> POST /account/delete
>> HOST: XYZ
>> Cookie: CSRF_Token=123456
>> Now the problem is that we can not manipulate cookie value with
>> cookie. Is there a way to create a working exploit?
>> Apologies if I am unable to clear the scenario.
>> OWASP-Delhi mailing list
>> OWASP-Delhi at lists.owasp.org
>> LinkedIn Group: https://www.linkedin.com/groups?gid=89270
>> Twitter: https://twitter.com/OWASPdelhi
> OWASP-Delhi mailing list
> OWASP-Delhi at lists.owasp.org
> LinkedIn Group: https://www.linkedin.com/groups?gid=89270
> Twitter: https://twitter.com/OWASPdelhi
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OWASP-Delhi