[OWASP-Delhi] Anti-CSRF token in cookie and post form

Vaibhav Gupta vaibhav12jan at gmail.com
Tue Jul 7 17:03:39 UTC 2015


Apologies for not being clear at first place. I'll give it another shot :-)

The application has a Anti-CSRF token checking mechanism in which it is
just checking if the Anti-CSRF token sent in POST request is the same as
present in the cookie value being sent in the same POST request.

Now, since the application is not checking if the Anti-CSRF token presented
in the POST request is the same as what was set earlier, it is viewed as
vulnerable.

For creating a valid CSRF poc, I need to craft a POST request in which the
form has a Anti-CSRF token (may be '123') and I need to send the same
Anti-CSRF token in the cookie value.

Problem with creating this CSRF poc is, that HTML/JS code can not send
 cookies to the server due to the restriction in JavaScript (they are just
auto sent by browser itself).

Any way to create a working exploit?

On Sun, Jul 5, 2015 at 2:22 AM, Pankaj Upadhyay <mr.p.upadhyay at gmail.com>
wrote:

> A lot of web applications keep session-cookie as secure and other cookies
> as it is. If that is the scenario, adversary will be able to sniff the
> cookie and get the CSRF Token.
>
> "Now the problem is that we can not manipulate cookie value with
> Javascript "
>
> I didn't understand the above statement. Are you saying that this cookie
> has Httponly attribute set?
>
> Thanks
> Pankaj
>
> On Saturday, July 4, 2015, Vaibhav Gupta <vaibhav12jan at gmail.com> wrote:
>
>> Hello all,
>>
>> I recently encountered an application which was having its random
>> anti-csrf token in cookie and the same random token was sent in the POST
>> form. If I tamper the cookie and the post form anti-CSRF token with the
>> same value, server will validate my request.
>>
>> Example:
>>
>> POST /account/delete
>> HOST: XYZ
>> Cookie: CSRF_Token=123456
>>
>> account_id=10101&CSRF_Token=123456
>>
>> Now the problem is that we can not manipulate cookie value with
>> Javascript and hence cannot fiddle with the anti-csrf token present in
>> cookie. Is there a way to create a working exploit?
>>
>> Apologies if I am unable to clear the scenario.
>>
>> Thanks
>> Vaibhav
>>
>
>
> --
> Sent from MI3
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-delhi/attachments/20150707/5edb0eb7/attachment-0001.html>


More information about the OWASP-Delhi mailing list