WebApp Sec mailing list archives
Re: CSRF through POST
From: Amish Shah <amish () net-square com>
Date: Thu, 24 Dec 2009 15:56:02 +0530
Hi Robin, You find CSRF through POST with example at, http://blog.runxc.com/post/2009/07/06/CSRF-by-Example-How-to-do-it-How-to-defend-it.aspx --Amish Robin Wood wrote:
2009/12/16 arvind doraiswamy <arvind.doraiswamy () gmail com>:Hey Robin, You shouldn't worry about GET or POST. A CSRF will happen in both places. Its just that the GET is easier and more visible. For a POST you could either use OWASP's CSRF Tester to record and replay a request. Or you could create a HTML page manually with all hidden variables and just a button as a POC.It is this bit I was after info on, I could think of a way that I would attempt a POST but wanted to see research others had done. As it turns out I've had quite a few good leads passed across, thanks to everyone. Most work in a similar way but all have slight variations that are useful to know about when trying to work out the best way to attack a target. RobinCheers Arvind On Tue, Dec 15, 2009 at 6:27 AM, Robin Wood <dninja () gmail com> wrote:Hi Can anyone point me at any good papers on doing CSRF through POST parameters? I've found some sites with redirect scripts which help performing the attack but no good write-ups on different ways to perform it. Robin This list is sponsored by Cenzic -------------------------------------- Let Us Hack You. Before Hackers Do! It's Finally Here - The Cenzic Website HealthCheck. FREE. Request Yours Now! http://www.cenzic.com/2009HClaunch_Securityfocus --------------------------------------This list is sponsored by Cenzic -------------------------------------- Let Us Hack You. Before Hackers Do! It's Finally Here - The Cenzic Website HealthCheck. FREE. Request Yours Now! http://www.cenzic.com/2009HClaunch_Securityfocus --------------------------------------
-- Amish Shah Chief Technology Officer Net Square Solutions Pvt. Ltd. amish () net-square com http://net-square.com/ +91 98257 09665 This list is sponsored by Cenzic -------------------------------------- Let Us Hack You. Before Hackers Do! It's Finally Here - The Cenzic Website HealthCheck. FREE. Request Yours Now! http://www.cenzic.com/2009HClaunch_Securityfocus --------------------------------------
Current thread:
- CSRF through POST Robin Wood (Dec 15)
- Re: CSRF through POST arvind doraiswamy (Dec 16)
- Re: CSRF through POST Robin Wood (Dec 16)
- RE: CSRF through POST boaz.shunami (Dec 21)
- Re: CSRF through POST chr1x (Dec 21)
- Re: CSRF through POST Robin Wood (Dec 22)
- Re: CSRF through POST Robin Wood (Dec 16)
- Re: CSRF through POST Amish Shah (Dec 24)
- Re: CSRF through POST YGN Ethical Hacker Group (Dec 27)
- Re: CSRF through POST arvind doraiswamy (Dec 16)