Cross Site Scripting Request Forgery (CSRF)

CSRF Low

A Useful Tool

A useful tool for Website hacking is HackBar

It only works for Firefox.

https://addons.mozilla.org/en-US/firefox/addon/hackbar1/

csrf-bwapp.png

Example of A Bad Implementation.

 

Why is it Bad?

<form action=”Shop.aspx?prod=1″ method=”POST”>Product: iPhone 5

Price: 449

Quantity: <input name=”quantity” type=”text” /> (Maximum quantity is 50)

<input name=”price” type=”hidden” value=”449″ />

<input type=”submit” value=”Buy” />

</form>

 

Notice that the form field price is flagged as hidden, this field is sent to the server when the user submits the form.

Although the price is hidden from the screen, and the user cannot edit it, it can still be bypassed and a hacker can change the price to absolutely anything they desire. All they need to do is save the source code for the HTML Page, edit the field’s value, reload the source into the browser, and click the Buy button, and it will change.

Demonstration Of The Attack

If you have any questions please comment below.

Leave a Reply

%d bloggers like this: