

CSRF Tool - homakov
http://homakov.blogspot.ru/2013/05/csrf-tool.html

======
pdeuchler
Hmmmm, while I'm a big fan of the OP I don't think this is really a security
flaw.

I'm praying to God that Facebook doesn't use CSRF as their only stop gap
measure against malicious POST requests, and if that were the case then OP
might have a point, but in my opinion CSRF is more of a buffer that helps
prevent scale-able automated form submissions.

If I understand it correctly, OP demonstrates that a simple curl can get a
CSRF token that can then be used to send malicious POST requests, but isn't
that almost the same thing as loading up the webpage and typing in the data in
the form yourself? I feel like you're still throttling the requests, as HTTP
requests before every POST does not scale. This could also be very easily
detected server side and easily blocked.

Am I understanding this correctly?

~~~
homakov
Hey, thanks for warm words. This post is not about vulns, it's about a tool I
created to find vulns. :)

~~~
pdeuchler
Ahhhh, gotchya. So essentially an automated tool to find who's not doing a
little extra server side validation?

edit: Might I suggest you add a bitcoin wallet for donations as well?

~~~
homakov
not automated, but really convenient and simple (for me at least)

I don't have a wallet yet (

------
hawkharris
Extra points for incorporating a rap video into a technical security blog
post.

~~~
homakov
Dat's how we roll, homie

------
alexchamberlain
Your mitigation is wrong. You need a one way function around the cookie,
otherwise that can be forged too.

~~~
tptacek
If a blind attacker can't predict the token, and the token is reliably checked
on form submission, it mitigates CSRF.

~~~
homakov
further more: this is one and the only proper protection.

Referer: not reliable, proxies omit it Origin: not supported yet Additional
header: could be tricked with Flash vuln

------
bvdbijl
Maybe you should do something other than alert() the CSRF exploit, I can't
copy it under Windows

~~~
homakov
hmm, maybe a popup with text area. feel free to Pull request

------
stopcyring
checking referer will work 99% and without cluttering your urls.

~~~
stopcyring
ridiculous, say forging again, i double dare you. how you ninjas going to do
that? flash 10 was released 2008. thanks for down voting, single mind hn as
usual.

~~~
ljd
You can forge the referrer by putting it in the header of an HTTP request.
It's a rather simple procedure.

