Re: [OWASP-Delhi] Anti-CSRF token in cookie and post form

Sat, 04 Jul 2015 08:04:51 -0700

‎A little off the hook here. But I want to ask, "Is there something really exists  like server-side cookies?"

Sorry if that's a stupid question. I am not much into web app but conceptually I find it difficult to digest something call as server-side cookie.

Cheers!
Kamal


From: Minhaz A V
Sent: Saturday 4 July 2015 8:15 PM
To: Vaibhav Gupta
Cc: owasp-delhi@lists.owasp.org
Subject: Re: [OWASP-Delhi] Anti-CSRF token in cookie and post form

Not one I can think of as the whole point of using a random nonce here is based on same origin policy of the cookie.

Also there is possiblity the validation on server side could be between post variable and server side cookie rather than one sent by client. This would make tampering request useless.

On 4 Jul 2015 17:29, "Vaibhav Gupta" <vaibhav12...@gmail.com> wrote:
Hello all,

I recently encountered an application which was having its random anti-csrf token in cookie and the same random token was sent in the POST form. If I tamper the cookie and the post form anti-CSRF token with the same value, server will validate my request.

Example:

POST /account/delete
HOST: XYZ
Cookie: CSRF_Token=123456

account_id=10101&CSRF_Token=123456

Now the problem is that we can not manipulate cookie value with _javascript_ and hence cannot fiddle with the anti-csrf token present in cookie. Is there a way to create a working exploit?

Apologies if I am unable to clear the scenario. 

Thanks
Vaibhav

_______________________________________________
OWASP-Delhi mailing list
OWASP-Delhi@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-delhi
LinkedIn Group: https://www.linkedin.com/groups?gid=89270
Twitter: https://twitter.com/OWASPdelhi

_______________________________________________
OWASP-Delhi mailing list
OWASP-Delhi@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-delhi
LinkedIn Group: https://www.linkedin.com/groups?gid=89270
Twitter: https://twitter.com/OWASPdelhi
_______________________________________________
OWASP-Delhi mailing list
OWASP-Delhi@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-delhi
LinkedIn Group: https://www.linkedin.com/groups?gid=89270
Twitter: https://twitter.com/OWASPdelhi

Reply via email to