I mean how thick do you have to be to not understand what CSRF is? I almost lost a gig to this supposedly 'seasoned' dev who kept bragging about how she takes web security very seriously. I pointed out this flaw in her work and she fucking flipped out and refused to even acknowledge that she might have made a mistake. She kept insisting how it isn't even a vulnerability.

Well, too bad I got the gig for pointing it out.

  • 14
    @skullLantern you could easily forge session tokens on her app to connect to the server pretending to be someone else.
  • 6
    @bigus-dickus How is that even possible? Can you give a brief example?
  • 6

    You mean you can write your own cookie with any contents, or pass any string as a CGI arg, as long as it's the right length?
  • 12
    @trickory @bahua

    Ok so after you successfully log in to a website, the webserver would set a session token for you just so you don't have to login over and over, at least for a little while.

    If I am a hacker, all I have to do is send a mail to the victim containing the link pointing to a fake page that looks exactly like the intended website. Now since the session token is already set, I can make the user do whatever I want him or her to do. This is a CSRF attack.

    You can simply prevent it by verifying that the requests coming in to the server are in fact from the actual website and not from a fake page pretending to be it.
  • 5
    although I don't disagree that this is something that should at least be configured properly, it's also still a very weak security measure and a well thought out attack will simply pretend to send requests from the right domain.

    edit: this is in response to your explanation, not the rant. not understanding csrf and pretending to be smart about it makes that dev a cunt through.
  • 7
    @balte sure you could, I was just trying to keep my explanation simple.
  • 3
    @bigus-dickus But this would be fishing since and if the user must provide a username&password, then server generate the token after login validation.
  • 2
    @bigus-dickus don't web frameworks do that by default nowadays? I remember when I tried Laravel oncce, all forms had tokens in them to prevent this. Or am I talking about a different form of attack?
  • 2
    @vlatkozelka no frameworks were used.
  • 3
    Couldn't I still copy the frontend, and have a crawler load the original website, pose as a browser and send the contents to get a token? I do get that it's an extra step, but wouldn't this work too?
  • 2
    @Wack yes it would
  • 3
    @bigus-dickus so is CSRF just a way to kick script kiddies out? (Since most of my projects use Symfony I do use CSRF but never bothered to really understand it)
  • 3
    @Wack How about....before the server renders a web form on screen, it generates a unique token and assigns it as one of the hidden attributes of the form. The server at the same time also generates a hash of this token and stores it for verification for every subsequent request.

    Unless the token matches the hash on the server, every request remains invalid.
  • 2
    @bigus-dickus yeah, so much I knew about it, but like what is the security benefit, if I can just crawl a page and then populate a form? Sure it's a bit more work than simply sending a post request with curl but still fairly easy
  • 1
    @Wack But how'd you crawl that form? Due to browser policies you can't access the content of other tabs, you'd have to hope for some xss vulnerability.

    OR, I've used this attack successfully to hijack the super admin account of a colleague a year or so ago (in combination with an XSS attack) (I had guest access). He asked me to explain how it works and help him with patching :)
  • 1
    @linuxxx I wouldn't use a browser but just good old curl, and then filter through the return, or better use a crawler able to understand html (I mad good expirience using the Symfony provided one, when a client insisted we had to mirror their conntent but wouldn't provide us with an api...
  • 0
    @Wack Well okay but how'd you hijack a session then? You'd have to get the contents of the targets browser tab...
  • 1
    Yes and no, I personally would just man in the middle it.

    Have foo.com mirror bar.com frontendwise and just forward all calls to bar.com, while simultaniously logging all parameters, urls and the return...
  • 1
    bang her
  • 0
    @angryotter nah! she's a 4/10 at best. Even if she were a full 10, I would still pass her for her cave bitch attitude.
Your Job Suck?
Get a Better Job
Add Comment