Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A on cross site request forgeries and breaking into sessions. It's one of the attacks that XSS enables and the attack of the future. For Session, fixations, hijacking, lockout, replay, session riding etc.... 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
NetGear Router Config CSRF
Posted by: Lord0xF
Date: September 26, 2008 06:07PM

Not sure if this one has already been found. I just purchased a NetGear router and the way it configures over HTTP caught my attention: POST. Once authenticated in a session, embedding the following in an IMG tag or HTTP redirect will change the router's SSID To "MyRouterGotCSRFd":

http://routerlogin.com/wireless.cgi?ssid=MyRouterGotCSRFd&Apply=Apply

You can also enable Remote Configuration, change the password, tamper with routing and rules, and much more. Since authentication must exist in advance (the request must be sent in a reasonable time frame in which the user is administrating the router), this attack can be very effective with some social engineering.

As for this one:

http://routerlogin.com/backup.cgi?ROMReset=Yes

I think you get the idea guys ;)

Options: ReplyQuote


Sorry, only registered users may post in this forum.