Wednesday, June 29, 2011

CSRF Prompt By-Pass and CSRF Token By-Pass

CSRF Prompt By-Pass

in this chapter, continue from the earlier chapter, I learn abot CSRF promp By-pass.
This is directions from CSRF Prompt by-Pass :

“Similar to the CSRF Lesson, your goal is to send an email to a newsgroup that contains multiple malicious requests: the first to transfer funds, and the second a request to confirm the prompt that the first request triggered. The URL should point to the CSRF lesson with an extra parameter "transferFunds=4000", and "transferFunds=CONFIRM". You can copy the shortcut from the left hand menu by right clicking on the left hand menu and choosing copy shortcut. Whoever receives this email and happens to be authenticated at that time will have his funds transferred. When you think the attack is successful, refresh the page and you will find the green check on the left hand side menu. “

SS :

 


 
I tried to be know what the directions mean, like before chapter, I tried to copy the shortcut from the left hand menu.
http://127.0.0.1/webgoat/attack?Screen=82&menu=900” and I think in this chapter, I must to add transferFouds=4000 in this URL.

The result :
http://127.0.0.1/webgoat/attack?Screen=82&menu=900&transferFunds=4000
SS :








 
SS result :





 
after I see the result, I just a thin smile, the input that was my input is a URL, so I must input to the URL browser, like this :
 

and the result is :

 








 
then I click confirm :




 
CSRF Token By-Pass
 
there was a directions :
“Similar to the CSRF Lesson, your goal is to send an email to a newsgroup that contains a malicious request to transfer funds. To successfully complete you need to obtain a valid request token. The page that presents the transfer funds form contains a valid request token. The URL for the transfer funds page is the same as this lesson with an extra parameter "transferFunds=main". Load this page, read the token and append the token in a forged request to transferFunds. When you think the attack is successful, refresh the page and you will find the green check on the left hand side menu.”
SS :













after to be know a directions, I doing like CSRF Prompt By-Pass' chapter.  But the differences of this chapter is :
http://127.0.0.1/webgoat/attack?Screen=78&menu=900
I tried :
http://127.0.0.1/webgoat/attack?Screen=78&menu=900&transferFunds=main

and the result is :








and after I click sub query,
SS:



this is my report
CMIIW
Posted by at 0 comments
Labels: , , , ,
Subscribe to: Posts (Atom)