[ OWASP - Montréal ]XSFR/CSFR testing difficulty level

Sean Coates sean at caedmon.net
Thu Nov 27 23:00:30 EST 2008


> But i have to agree with you. Most XSRF are difficult to exploit.

Often difficult to identify, but once identified, not hard to exploit.

> A good way to test the "xsrf potential", try to send POST requests  
> as GET. For example, if your POST is
>
> POST /?password=mypassword&user=toto then you may want to try GET  
> password=mypassword&user=toto
>
> Some programmer (usually the slightly less experienced) forward the  
> post to a get. Of course, this is a great XSRF potential. (Imagine  
> an image called  
> setpassword=mypasswordicanuse&setemail=myevilhackeremail&confirm=1

This is only slightly harder to exploit when the action is only  
available via POST, if the browser has JavaScript enabled (and let's  
face it, almost everyone does). Accepting only POST is no safer than  
GET in this case.

S


More information about the Owasp-montreal mailing list