WebApp Sec mailing list archives
Re: [PHP] CSRF attack not possible in I.E. 6.01 SP1?
From: Chris Shiflett <shiflett () php net>
Date: Mon, 16 Aug 2004 11:55:55 -0700 (PDT)
--- Saqib.N.Ali () seagate com wrote:
I can't share the exact code ;) , but here is something very similar: <img src="http://slashdot.org/my/logout" height="1" width="1"> If I load a web page with the above code, it should log me out of slashdot. It works in Mozilla (and netscape), but not in I.E. 6.01 SP1
The best information would be if you can capture the exact HTTP transactions involved. For example, using something like ethereal, capture the request and response for Mozilla, and then do the same for IE 6.01 SP1. Short of that, you could create a URL specifically made for testing this. You can create a PHP file called csrf.php and another called csrf.png. Make .png files be interepreted as PHP (just for the purposes of this test), and then you can log a lot of useful information in your test scripts. Hope that helps. Chris ===== Chris Shiflett - http://shiflett.org/ PHP Security - O'Reilly Coming Fall 2004 HTTP Developer's Handbook - Sams http://httphandbook.org/ PHP Community Site http://phpcommunity.org/
Current thread:
- Re: [PHP] CSRF attack not possible in I.E. 6.01 SP1? Chris Shiflett (Aug 17)
- <Possible follow-ups>
- Re: [PHP] CSRF attack not possible in I.E. 6.01 SP1? Chris Shiflett (Aug 17)
- RE: [PHP] CSRF attack not possible in I.E. 6.01 SP1? Jay Blanchard (Aug 17)
- RE: [PHP] CSRF attack not possible in I.E. 6.01 SP1? Chris Shiflett (Aug 17)
- RE: [PHP] CSRF attack not possible in I.E. 6.01 SP1? Chris Shiflett (Aug 17)
- Re: [PHP] CSRF attack not possible in I.E. 6.01 SP1? Octavian Rasnita (Aug 17)
- Re: [PHP] CSRF attack not possible in I.E. 6.01 SP1? Chris Shiflett (Aug 17)
- Re: [PHP] CSRF attack not possible in I.E. 6.01 SP1? Octavian Rasnita (Aug 17)
- Re: [PHP] CSRF attack not possible in I.E. 6.01 SP1? Chris Shiflett (Aug 17)
- RE: [PHP] CSRF attack not possible in I.E. 6.01 SP1? Vail, Warren (Aug 17)
- RE: [PHP] CSRF attack not possible in I.E. 6.01 SP1? Ed Lazor (Aug 17)
- RE: [PHP] CSRF attack not possible in I.E. 6.01 SP1? Michael Silk (Aug 18)