Bugtraq mailing list archives

Re: Circumventing CSFR Form Token Defense

From: Florian Weimer <fw () deneb enyo de>
Date: Wed, 10 Jan 2007 08:38:44 +0100

* Jim Manico:

CONJECTURE: An attacker could write a hybrid "html inspection, CSRF
attack" mimicking an exact important form (like the funds transfer
form for an exact bank) **even if the form in question uses form
tokens**.


I'm not sure what you mean by "form tokens", but correctly generated
tokens are unique to the user's session.

  a) The javascript makes a simple HTTP/S request to the form it is
  trying to mimic and inspects the returned HTML for the purpose of
  pulling out a valid form key since the form key NAME is known from
  (1).


To work, this requires a cross-site scripting vulnerability in the web
application (or lack of enforcement of the same-origin policy by the
browser).  (The rule of thumb is: XSS for read access, CSRF for write
access.)

Current thread:

Circumventing CSFR Form Token Defense Jim Manico (Jan 09)
- Re: Circumventing CSFR Form Token Defense Florian Weimer (Jan 10)
- Re: Circumventing CSFR Form Token Defense Peter Watkins (Jan 10)
- <Possible follow-ups>
- Re: Circumventing CSFR Form Token Defense bugtraq (Jan 10)
  - RE: Circumventing CSFR Form Token Defense James C. Slora Jr. (Jan 11)