WebApp Sec mailing list archives

RE: CSRF through POST

From: <boaz.shunami () rsa com>
Date: Mon, 21 Dec 2009 08:47:28 -0500

You can also have a javascript event that will fire the submit button
automatically and hence will send the post parameters.

Thanks,
 
Boaz
-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Robin Wood
Sent: Wednesday, December 16, 2009 6:47 PM
To: arvind doraiswamy
Cc: webappsec () securityfocus com
Subject: Re: CSRF through POST

2009/12/16 arvind doraiswamy <arvind.doraiswamy () gmail com>:

Hey Robin,
You shouldn't worry about GET or POST. A CSRF will happen in both
places. Its just that the GET is easier and more visible.

For a POST you could either use OWASP's CSRF Tester to record and
replay a request. Or you could create a HTML page manually with all
hidden variables and just a button as a POC.


It is this bit I was after info on, I could think of a way that I
would attempt a POST but wanted to see research others had done.

As it turns out I've had quite a few good leads passed across, thanks
to everyone. Most work in a similar way but all have slight variations
that are useful to know about when trying to work out the best way to
attack a target.

Robin


Cheers
Arvind

On Tue, Dec 15, 2009 at 6:27 AM, Robin Wood <dninja () gmail com> wrote:

Hi
Can anyone point me at any good papers on doing CSRF through POST
parameters? I've found some sites with redirect scripts which help
performing the attack but no good write-ups on different ways to
perform it.

Robin



This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------




This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now! 
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------





This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------

Current thread:

CSRF through POST Robin Wood (Dec 15)
- Re: CSRF through POST arvind doraiswamy (Dec 16)
  - Re: CSRF through POST Robin Wood (Dec 16)
    - RE: CSRF through POST boaz.shunami (Dec 21)
    - Re: CSRF through POST chr1x (Dec 21)
    - Re: CSRF through POST Robin Wood (Dec 22)
    - Re: CSRF through POST Amish Shah (Dec 24)
    - Re: CSRF through POST YGN Ethical Hacker Group (Dec 27)
- Re: CSRF through POST Himanshu Goyal (Dec 22)