Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A on cross site request forgeries and breaking into sessions. It's one of the attacks that XSS enables and the attack of the future. For Session, fixations, hijacking, lockout, replay, session riding etc.... 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
CSRF, problem with HTTP_REFERER
Posted by: XaDoS
Date: September 02, 2009 08:11AM

I found a csrf vuln on famous board trough a "hacker" can add a admin user with admin privilege on site.
But i have a problem, when i try it (like admin user, click on csrf code) the site respond me: WARNING: yuor broswer don't send the HTTP_referrer header. I don't understand why the site don't accept my POST request, how can i bypass this, or how can i send it?
thnaks in advance, for more info contact me with PM or at xados@hotmail.it

Options: ReplyQuote
Re: CSRF, problem with HTTP_REFERER
Posted by: backbone
Date: September 03, 2009 06:54AM

maybe because there is a referrer check ?

---
blog [-] microblog

Options: ReplyQuote
Re: CSRF, problem with HTTP_REFERER
Posted by: XaDoS
Date: September 03, 2009 11:05AM

uhm..it's impossible becouse I 'm logged in with admin account.. se the referrer is normal.. like http://mysite../../admin/..

Options: ReplyQuote
Re: CSRF, problem with HTTP_REFERER
Posted by: rvdh
Date: September 06, 2009 03:21PM

Could be they require a GET instead of a POST, who knows.

Options: ReplyQuote
Re: CSRF, problem with HTTP_REFERER
Posted by: XaDoS
Date: September 07, 2009 11:10AM

eheh.. i don't know .. :(

Options: ReplyQuote
Re: CSRF, problem with HTTP_REFERER
Posted by: Ams
Date: November 15, 2009 06:19AM

Why not to try explicitly send referrer in headers? Don't say it's impossible until you check.

Options: ReplyQuote


Sorry, only registered users may post in this forum.