All Posts for Jul 2007

CSRF Redirector

• Wed, 18 Jul 2007 03:49:53 GMT
• 15 Comments
• References
• Link

Inspired by the XSS POST Forwarder, I just created the CSRF Redirector. It's a simple tool that makes it easy to test CSRF using POST, hopefully demonstrating how prevalent CSRF vulnerabilities are as well as reducing the misconception that forging a POST request is complicated.

To use it, construct a URL of the form http://shiflett.org/csrf.php?csrf=URL&NAME=VALUE, where URL is the (URL-encoded) target site, and NAME and VALUE represent a name-value pair, of which there can be zero or more.

For example, the following IFrame exploits the Amazon vulnerability:

<iframe src="http://shiflett.org/csrf.php?csrf=http%3A%2F%2Famazon.com%2Fgp%2Fproduct%2Fhandle-buy-box&ASIN=059600656X&offerListingID=XYPvvbir%2FyHMyphE%2Fy0hKK%2BNt%2FB7%2FlRTFpIRPQG28BSrQ98hAsPyhlIn75S3jksXb3bdE%2FfgEoOZN0Wyy5qYrwEFzXBuOgqf" />

I may add more features at some point. Until then, enjoy!

iPhone Security Concern

• Mon, 02 Jul 2007 03:11:06 GMT
• 6 Comments
• References
• Link

Nitesh Dhanjani just posted a reminder of an AT&T/Cingular vulnerability he first mentioned over a year ago. If you've recently purchased an iPhone, here's the scary part:

The AT&T/Cingular voicemail system is configured by default not to ask for a password when you check your voicemail from the handset. Unfortunately, the AT&T/Cingular voicemail system trusts Caller ID to determine if the handset is calling it.

I'm not going to claim that Caller ID spoofing is easy, but Paris Hilton can do it. I'm just saying.

Until this vulnerability is fixed, Nitesh recommends setting your voicemail password:

1. Call your AT&T/Cingular voicemail (dial your own number from the iPhone).
2. Press 4 to go to Personal Options.
3. Press 2 to go to Administrative Options.
4. Press 1 to go to Password.
5. Press 2 to turn your password On.

Thanks for the reminder, Nitesh!