Web Application Security
CSRF through POST Dec 15 2009 12:57AM
Robin Wood (dninja gmail com) (2 replies)
Re: CSRF through POST Dec 22 2009 08:00AM
Himanshu Goyal (idhimanshu gmail com)
Re: CSRF through POST Dec 16 2009 04:37PM
arvind doraiswamy (arvind doraiswamy gmail com) (1 replies)
Re: CSRF through POST Dec 16 2009 04:47PM
Robin Wood (dninja gmail com) (2 replies)
Re: CSRF through POST Dec 24 2009 10:26AM
Amish Shah (amish net-square com) (1 replies)
Re: CSRF through POST Dec 27 2009 05:55AM
YGN Ethical Hacker Group (lists yehg net)
RE: CSRF through POST Dec 21 2009 01:47PM
boaz shunami rsa com (1 replies)
Re: CSRF through POST Dec 22 2009 03:59AM
chr1x (chr1x sectester net) (1 replies)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Robin,

I went over your question and looks pretty interesting, so, as Boaz
said, the way that you can use is Javascript to do the job.

Take this example:

<form name="myform" action="handle-data.php">
Search: <input type='text' name='query' />
<a href="javascript: submitform()">Search</a>
</form>
<script type="text/javascript">
function submitform()
{
document.myform.submit();
}
</script>

Javascript uses a submit() method which is used for HTML Forms in
order to send data over HTTP POST method. In this case, you can
configure the Javascript given as example as you required.

Don't hesitate to contact me if you require more information and/or help

- ---
[CubilFelino Security Research Lab] http://chr1x.sectester.net
The computer security is an art form. It's the ultimate martial art."
New Forum at: http://www.sectester.net. Share your knowledge!

boaz.shunami (at) rsa (dot) com [email concealed] escribió:
> You can also have a javascript event that will fire the submit button
> automatically and hence will send the post parameters.
>
> Thanks,
>
> Boaz
> -----Original Message-----
> From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]]
> On Behalf Of Robin Wood
> Sent: Wednesday, December 16, 2009 6:47 PM
> To: arvind doraiswamy
> Cc: webappsec (at) securityfocus (dot) com [email concealed]
> Subject: Re: CSRF through POST
>
> 2009/12/16 arvind doraiswamy <arvind.doraiswamy (at) gmail (dot) com [email concealed]>:
>> Hey Robin,
>> You shouldn't worry about GET or POST. A CSRF will happen in both
>> places. Its just that the GET is easier and more visible.
>>
>> For a POST you could either use OWASP's CSRF Tester to record and
>> replay a request. Or you could create a HTML page manually with all
>> hidden variables and just a button as a POC.
>
> It is this bit I was after info on, I could think of a way that I
> would attempt a POST but wanted to see research others had done.
>
> As it turns out I've had quite a few good leads passed across, thanks
> to everyone. Most work in a similar way but all have slight variations
> that are useful to know about when trying to work out the best way to
> attack a target.
>
> Robin
>
>> Cheers
>> Arvind
>>
>> On Tue, Dec 15, 2009 at 6:27 AM, Robin Wood <dninja (at) gmail (dot) com [email concealed]> wrote:
>>> Hi
>>> Can anyone point me at any good papers on doing CSRF through POST
>>> parameters? I've found some sites with redirect scripts which help
>>> performing the attack but no good write-ups on different ways to
>>> perform it.
>>>
>>> Robin
>>>
>>>
>>>
>>> This list is sponsored by Cenzic
>>> --------------------------------------
>>> Let Us Hack You. Before Hackers Do!
>>> It's Finally Here - The Cenzic Website HealthCheck. FREE.
>>> Request Yours Now!
>>> http://www.cenzic.com/2009HClaunch_Securityfocus
>>> --------------------------------------
>>>
>>>
>
>
>
> This list is sponsored by Cenzic
> --------------------------------------
> Let Us Hack You. Before Hackers Do!
> It's Finally Here - The Cenzic Website HealthCheck. FREE.
> Request Yours Now!
> http://www.cenzic.com/2009HClaunch_Securityfocus
> --------------------------------------
>
>
>
>
>
> This list is sponsored by Cenzic
> --------------------------------------
> Let Us Hack You. Before Hackers Do!
> It's Finally Here - The Cenzic Website HealthCheck. FREE.
> Request Yours Now!
> http://www.cenzic.com/2009HClaunch_Securityfocus
> --------------------------------------
>
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJLMEQVAAoJEENUkd83ZfT4FBoIAMKB0ZhzuSxySoCDUxkpjqLL
XaFd9hOhh/V2B4SG61hVq4kXd6pkYTZoN8GhHjBnvJzBsa4K/6QXT9Be4Ebxj2n4
gDXHkNMXj2YPxgiR+YEnmn20N46j4BGvbL1H0ejfMxDakcKEMl4+AxUom70HyFEq
lIjPoT2x8N572P6NErvWXrPQCJRixyMyLaJ1NahVasA81Ngn6XaFV+nM4Ltnx6nd
J89K5mYr+Qy4GxSTkrgs52pBtICBbL9a6QwNrhZv1Ss78jeLr6QiD6bKt7/QVV6n
o117m2y/LGzvZ66S0bhUoufQyWvO7sDca7ghCLubBqRJKLnHrww8WlbT2vukmqE=
=27fB
-----END PGP SIGNATURE-----

This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------

[ reply ]
Re: CSRF through POST Dec 22 2009 09:22AM
Robin Wood (dninja gmail com)


 

Privacy Statement
Copyright 2010, SecurityFocus