[OWASP-Delhi] Anti-CSRF token in cookie and post form

Pankaj Upadhyay mr.p.upadhyay at gmail.com
Sat Jul 4 20:52:30 UTC 2015


A lot of web applications keep session-cookie as secure and other cookies
as it is. If that is the scenario, adversary will be able to sniff the
cookie and get the CSRF Token.

"Now the problem is that we can not manipulate cookie value with Javascript
"

I didn't understand the above statement. Are you saying that this cookie
has Httponly attribute set?

Thanks
Pankaj

On Saturday, July 4, 2015, Vaibhav Gupta <vaibhav12jan at gmail.com> wrote:

> Hello all,
>
> I recently encountered an application which was having its random
> anti-csrf token in cookie and the same random token was sent in the POST
> form. If I tamper the cookie and the post form anti-CSRF token with the
> same value, server will validate my request.
>
> Example:
>
> POST /account/delete
> HOST: XYZ
> Cookie: CSRF_Token=123456
>
> account_id=10101&CSRF_Token=123456
>
> Now the problem is that we can not manipulate cookie value with Javascript
> and hence cannot fiddle with the anti-csrf token present in cookie. Is
> there a way to create a working exploit?
>
> Apologies if I am unable to clear the scenario.
>
> Thanks
> Vaibhav
>


-- 
Sent from MI3
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-delhi/attachments/20150705/c515cd73/attachment.html>


More information about the OWASP-Delhi mailing list