Thursday 2 October 2008

CSRF

CSRF as it will be known as from now on also known as Cross site request forgery is, in my opinion, an underestimated bug that may occur in quite a lot of web applications.The reason for this is because a lot of web devs assume users will be logged in when they view a given page. So unless they are practically wary will not require a user name and password for every single action the user does. Lets face it, this would get really annoying, really fast and make people less likely to want to bother using this site in the future because of all the hassle.


This attack works by submitting data from an attacker defined form to a form of a target site. After a site I often frequent, decided to fix the XSS bug in one of their pages that I used to annoy people with, I decided to sit down for awhile and try to break it again.


Basically what I did was craft a HTML page hosted on a remote server, that submitted a form using JavaScript. It changed the users email address (which coincidentally resets their password ;)) This code is pretty self explanatory, it runs myform.submit() which submits the form with the name "myform" (duhhhh), stick the target target page in the action parameter and the name of the text box you want to send data for (currently set to targetfield) and its content (newvalue).


Unfortunately blogger won't let me include the html (even when converted to html entities) so here's a pastebin link