Friday, July 20th, 2007

CSRF Redirector

Category: Security, Utility

<p>Joe Walker will probably be happy to see this, and will be able to test DWR with it. Chris Shiflet has created a simple CSRF Redirector inspired by the XSS POST Forwarder:

It’s a simple tool that makes it easy to test CSRF using POST, hopefully demonstrating how prevalent CSRF vulnerabilities are as well as reducing the misconception that forging a POST request is complicated.

To use it, construct a URL of the form http://shiflett.org/csrf.php?csrf=URL&NAME=VALUE, where URL is the (URL-encoded) target site, and NAME and VALUE represent a name-value pair, of which there can be zero or more.

Google’s online security team recently posted about Automating web application security testing which discusses various XSS issues.

Posted by Dion Almaer at 5:46 am
2 Comments

+++--
3.8 rating from 18 votes

2 Comments »

Comments feed TrackBack URI

“…as reducing the misconception that forging a POST request is complicated.”

I think the author is confused about why we limit certain requests to POST to prevent CSRF attacks. It’s not because POST is harder to do and therefore harder for a hacker to pull off. It’s because it protects against a specific set of attack vectors present in most email clients today. And the “CSRF Redirector” technique won’t work in those vectors.

Comment by Jordan — July 20, 2007

How can we detect this when it happens?

Thanks,

Bill Wardell

Comment by Bill Wardell — November 26, 2007

Leave a comment

You must be logged in to post a comment.