From cgdjmrsp at gmail.com Mon Aug 18 17:09:49 2014 From: cgdjmrsp at gmail.com (Chris Ducharme) Date: Mon, 18 Aug 2014 10:09:49 -0700 Subject: [Owasp_mutillidae_2_project] Newbie question re javascript in Mutillidae CSRF hints Message-ID: Hi, I'm a recent compsci grad trying to learn about infosec and pen-testing. I've been playing with Metasploitable and Mutillidae and I have a question that's not about Mutillidae per se (though it is directly related to one of the hints given); it's more of javascript/browser question. If this is not the appropriate place for such a question, I apologize, and feel free to ignore the rest of this email. On the Mutillidae add-to-blog page (/mutillidae/index.php?page=add-to-your-blog.php) one of the CSRF hints contains some code for an HTML form injection that includes the following line: Hello World I don't have very much javascript experience, but it's pretty clear that this creates a bit of text that should do the following upon mouseover: 1. save the current URL 2. submit form 'CSRF' 3. return to the saved URL but in practice it does something very strange. Instead of submitting the form as a POST, it submits it as a GET, and so the form is not properly submitted. If I remove the statement "document.location.href=lURL;", it submits the form correctly (though obviously the browser then doesn't return to the original page). My guess is that this is some sort of same-origin policy policing on the browser's part, but I really have no idea how it's happening or why. Any ideas as to what's going on? I'm using Mutillidae 2.1.19 on Kali; the browser is IceWeasel 24.7.0. - Chris -------------- next part -------------- An HTML attachment was scrubbed... URL: