Re: CSRF through POST

[Robin Wood <dninja () gmail com>]

2009/12/16 arvind doraiswamy <arvind.doraiswamy () gmail com>:
> Hey Robin,
> You shouldn't worry about GET or POST. A CSRF will happen in both
> places. Its just that the GET is easier and more visible.
>
> For a POST you could either use OWASP's CSRF Tester to record and
> replay a request. Or you could create a HTML page manually with all
> hidden variables and just a button as a POC.

It is this bit I was after info on, I could think of a way that I
would attempt a POST but wanted to see research others had done.

As it turns out I've had quite a few good leads passed across, thanks
to everyone. Most work in a similar way but all have slight variations
that are useful to know about when trying to work out the best way to
attack a target.

Robin

> Cheers
> Arvind
>
> On Tue, Dec 15, 2009 at 6:27 AM, Robin Wood <dninja () gmail com> wrote:
> > Hi
> > Can anyone point me at any good papers on doing CSRF through POST
> > parameters? I've found some sites with redirect scripts which help
> > performing the attack but no good write-ups on different ways to
> > perform it.
> >
> > Robin
> >
> >
> >
> > This list is sponsored by Cenzic
> > --------------------------------------
> > Let Us Hack You. Before Hackers Do!
> > It's Finally Here - The Cenzic Website HealthCheck. FREE.
> > Request Yours Now!
> > http://www.cenzic.com/2009HClaunch_Securityfocus
> > --------------------------------------



This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now! 
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------