Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A on cross site request forgeries and breaking into sessions. It's one of the attacks that XSS enables and the attack of the future. For Session, fixations, hijacking, lockout, replay, session riding etc.... 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
MS Word embedded CSRF
Posted by: Anonymous User
Date: June 06, 2007 09:36PM

I am trying to reproduce MS Word embedded CSRF as described here:

http://michaeldaw.org/md-hacks/csrf-with-msword/

CSRF works as expected (I used img src=... vector), but when embedded in Word 2000 it doesn't work at all. Sure, I sniffed the traffic and to my dismay HTTP request is actually sent when Word document is opened.

Yep, Word fetches sites through IE, but it seems that major problem is the fact that Word does not accept cookies, even thou it should if cookie handling is not restricted in IE Security Zone:

http://209.85.135.104/search?q=cache:k_ILqLBNI0sJ:www.microsoft.com/technet/archive/security/news/cookiefaq.mspx+Frequently-Asked+Questions:+Cookies+and+Word+Documents&hl=en&ct=clnk&cd=1

Any suggestions?

Options: ReplyQuote
Re: MS Word embedded CSRF
Posted by: rsnake
Date: July 12, 2007 06:07PM

I don't think you're going to have much luck here. Word isn't going to send the cookie as you guessed. So the real value there is tracking users as they open word files a la http://ha.ckers.org/webbug.html or to force them to do remote file includes on your behalf (in a way that doesn't show up in browser cache).

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote


Sorry, only registered users may post in this forum.