Using $_SESSIONS/COOKIES? Maybe u shud read this first.

**CreativityKills** · 07.10.09, 08:16

Targeted audience are usually usrs wit privileges like admins. A well constructed csrf attack could be catastrophic. Enough talk. I was at min0taur's w3sx.com, i logged in went to settings, edited my avatar to "http://ws3x.mobi/index.mat?do=logout" and nw ppl that visit my profile r logged out. I visitd retrivewap.co.za and put in my phone number

Code:

<img src="ownerproc.php?action=delu&who=1" alt=""/>

and any owner who myt ave visitd me wud av deleted uid 1.(dnt wori rider, ive taken it off) i or any other hacker could easily make dat attack more fatal as i can make a wen.ru site and make u visit it. Or a topsite with a button thats SUPPOSED to enter bt in reality has "hidden inputs" aka u make nice post requests for me

HOW DOES CSRF WORK ANYWAY AND WHATS THE PROTECTION. To be continued

**subzero** · 07.10.09, 08:25

Use php thumb
or
host your members images do not let your links to be image...

I keep sayin this **** over and over noobs never learn at all !!

**CreativityKills** · 07.10.09, 08:39

How it works. Like i said u send requests for the hacker. When u visit a page that contains an image, d browser sends a get request for that image to d server along with the requested page. When a request is sent it contains the SESSION/COOKIE id. Since u visited the page, YOU MADE THE REQUEST from YOUR BROWSER, the request wil contain YOUR valid session/cookie, yes, ur very own

. Nw take a look at d retrive wap attack, d owner sees the page, the browser sends a seperate request for the "image" and it sends his sid, the server usually treats requests the same way so, the page requested is processed with necessary permissions. Bt since its a img request, the page will return a broken image(with more imagnatin i cud make u even c a real image). The attack cud be pretty straight 4ward n tricky like usin d bbcode for url like [ url= ownerproc.php?action=delfrm&fid=1 ]SPAM ALERT[/ url]

**CreativityKills** · 07.10.09, 08:48

Originally posted by subzero View Post

Use php thumb
or
host your members images do not let your links to be image...

I keep sayin this **** over and over noobs never learn at all !!

really doesnt matter cuz i cud create an external site wit those image links and when u visit, it'll stil work d same way. Also if u have an xss hole like d two sites above, phpthumb wnt help u either

**morse** · 07.10.09, 08:53

People sometimes run after hiding session id, for that they lean much upon the cookies to save the session id. They think that cookies is the best way to protect the session but in reality its not the case. Keep using the visible carry forward sesion ids or use two session ids, one in cookie and the the other the usual get via url stuff at a time. The attack cannot be replicated if external hotlinking of images is blocked and there is a redirector for out urls.

**CreativityKills** · 07.10.09, 08:56

Sample of request sent to web server

Code:

...127.0.0.1 - - [06/Oct/2009:04:50:33 +01:00] "GET /ownerproc.php?action=delu&who=1 HTTP/1.1" ...

**ori** · 07.10.09, 09:07

if the image content is changed to image even when trying to run a query string thru images it wont process so using something like phpthumb or another image processor will stop those kind attacks

**ori** · 07.10.09, 09:08

i will test it on my site as i use cookies but im sure its safe

**kiLLeR-eyEd_14** · 07.10.09, 10:22

That's why i'm making my site more secured..Minotaur and i have different use of cookies..lyk wat have u said, when u put the logout url as ur avatar..Every user wud be logged out..He has a poor codes in logout..Ryt?And regarding deletion of anything in a site..In my site, i'm working for a code that when some will delete something, he/she must confirm first if he/she really wants to delete it..That's simply like that..U will just think all u can to make ur site more secure..

**CreativityKills** · 08.10.09, 01:17

Phpthumb phpthumb blah blah blah, didnt url just hear what i said? I can make a wen.ru site wit d img tags and it will work. Theres usually only THREE ways to stay safe, 1. Try to block xss holes. 2. Use a csrf helper class, i'll paste mine when im dne wit d GNU licensce. 3. Avoid as much as u can using GET method for commands.

@killereyed, maybe i should show u a simple attack on ur site with it? You seem pretty confident of "PHPSESSID". You all are missing the main point: if the attacker creates d attack and views it, it may nt have much effect, he just nids u to view it. Last i checkd there r such holes in friendster dat allows u to view private photos, add urself to a persons list etc. Be wise, make research on wat i just said, neva be ova confident, u can neva be 100% secure bt at least be 80%.

**ori** · 08.10.09, 07:32

nother way is make say ur logout have a unique value added in cookie say dologout=1 add that as a $_SESSION variable then only if the cookie has that data will it logout its quite simple

**koizumi** · 08.10.09, 10:26

Originally posted by mobileGIGS View Post

Phpthumb phpthumb blah blah blah, didnt url just hear what i said? I can make a wen.ru site wit d img tags and it will work. Theres usually only THREE ways to stay safe, 1. Try to block xss holes. 2. Use a csrf helper class, i'll paste mine when im dne wit d GNU licensce. 3. Avoid as much as u can using GET method for commands.

@killereyed, maybe i should show u a simple attack on ur site with it? You seem pretty confident of "PHPSESSID". You all are missing the main point: if the attacker creates d attack and views it, it may nt have much effect, he just nids u to view it. Last i checkd there r such holes in friendster dat allows u to view private photos, add urself to a persons list etc. Be wise, make research on wat i just said, neva be ova confident, u can neva be 100% secure bt at least be 80%.

well yeah, friendster has a lot of it. Auto comments, auto add friend, auto join group, auto grant private album access, etc. But then, all those commands are not so fatal, those commands are visible client side, that we can be able to formulate a hole out of it. But we cant formulate attacks with admin privileges like that of the delete uid 1 on the sample. Since we do not know those commands. What im trying to say is, if you use a publicly released scripts like lavalair, then the only way to protect this from attacks like this is to change db tables prefix name, commands on owner,admin cpanel, it also be recommended to change the filename of those important files like config,core, admin tools, etc.. Now the attacker would be blind guessing..

**kiLLeR-eyEd_14** · 08.10.09, 13:04

Originally posted by koizumi View Post

well yeah, friendster has a lot of it. Auto comments, auto add friend, auto join group, auto grant private album access, etc. But then, all those commands are not so fatal, those commands are visible client side, that we can be able to formulate a hole out of it. But we cant formulate attacks with admin privileges like that of the delete uid 1 on the sample. Since we do not know those commands. What im trying to say is, if you use a publicly released scripts like lavalair, then the only way to protect this from attacks like this is to change db tables prefix name, commands on owner,admin cpanel, it also be recommended to change the filename of those important files like config,core, admin tools, etc.. Now the attacker would be blind guessing..

yeh, i agree with you mate..And there's a lot of thing i'm doing to make them fool of guessing the exact url.,i do mod_rewriting for pretty urls..Etc.

**CreativityKills** · 08.10.09, 17:18

Its really nt hard 2 get urls thnx to google. Google dorks.

Using $_SESSIONS/COOKIES? Maybe u shud read this first.

Using $_SESSIONS/COOKIES? Maybe u shud read this first.

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment