CSRF Redirector

<p>Joe Walker will probably be happy to see this, and will be able to test DWR with it. Chris Shiflet has created a simple CSRF Redirector inspired by the XSS POST Forwarder:

It’s a simple tool that makes it easy to test CSRF using POST, hopefully demonstrating how prevalent CSRF vulnerabilities are as well as reducing the misconception that forging a POST request is complicated.

To use it, construct a URL of the form http://shiflett.org/csrf.php?csrf=URL&NAME=VALUE, where URL is the (URL-encoded) target site, and NAME and VALUE represent a name-value pair, of which there can be zero or more.

Google’s online security team recently posted about Automating web application security testing which discusses various XSS issues.

2 Comments »

Comments feed TrackBack URI

“…as reducing the misconception that forging a POST request is complicated.”

I think the author is confused about why we limit certain requests to POST to prevent CSRF attacks. It’s not because POST is harder to do and therefore harder for a hacker to pull off. It’s because it protects against a specific set of attack vectors present in most email clients today. And the “CSRF Redirector” technique won’t work in those vectors.

Comment by Jordan — July 20, 2007

How can we detect this when it happens?

Thanks,

Bill Wardell

Comment by Bill Wardell — November 26, 2007

Ajax Questions and Answers

Caching and dynamic views
My client does not want to change his cache settings on IE and I'm trying to figure out a way to dynamically update a view each time it is visited. I...

JQuery Function Not Defined?

Hi there,

I'm trying to set a php session variable from a radio button. The idea is that a jquery function is called which...

IE 8 Crashing Problem
Hello Everyone, Here\'s the situation: two iSeries boxes - Dev and Prod both V5R4M0 We\'re using AJAX to dynamically load content using a tabbed...