Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A on cross site request forgeries and breaking into sessions. It's one of the attacks that XSS enables and the attack of the future. For Session, fixations, hijacking, lockout, replay, session riding etc.... 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
How bypass CSRF protections
Posted by: the_master
Date: July 05, 2011 03:16PM

Hi there,

How I can bypass CSRF protections without XSS bug.
I know about, session fixation and hijacking that through them I can to bypass the Token protection.

Any ideas?

Options: ReplyQuote
Re: How bypass CSRF protections
Posted by: Neo139
Date: July 05, 2011 09:41PM

You can't. Unless the site is bad coded and urls transmit the session via GET instead of cookies, like something.php?SID=w38d7s53w3s415s4etc which is the session fixation you said.
or if the token is poorly coded and you could predict that. If the token is a like md5($user.$email.$random_shit_that_changes_everyday) and you know the random shit via bruteforce, then you get your CSRF. Still, most tokens are the session itself or a derivative, so it will not be possible without XSS.

Options: ReplyQuote
Re: How bypass CSRF protections
Posted by: lightos
Date: July 06, 2011 05:31AM

An alternative solution using ClickJacking: [blog.kotowicz.net]

Options: ReplyQuote
Re: How bypass CSRF protections
Posted by: Gareth Heyes
Date: July 06, 2011 07:32AM

Another example

http://www.thespanner.co.uk/2007/09/28/openid-security-css-overlays/

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: How bypass CSRF protections
Posted by: the_master
Date: July 06, 2011 03:16PM

Neo139 - That wont work, because if the token is run and refresh in random(and encrypted in MD5 that wont work!).
anyway thanks man.

lightos && Gareth Heyes thanks very much, its help!

Options: ReplyQuote


Sorry, only registered users may post in this forum.