A while ago our friend Nir published CSRF changing Facebook password and it was the last straw. I can recall at least 5 major CSRF vulnerabilities in Facebook published in last 6 months. This level of web security is inacceptable nonsense for Facebook.
So, here is a short reminder about mitigation:
Every state-changing (POST) request must contain a random token. Server-side must check it before processing the request using value stored in received cookies: cookies[:token] == params[:token]. If any POST endpoint lacks it — something is clearly wrong with implementation
For making world a better place I created simple and handy CSRF Tool: homakov.github.io
- Copy as Curl from Web Inspector, paste into text field and get a working template in a few clicks:
- No hassle. Researchers need a playground to demonstrate CSRF, with CSRF Tool you can simply give a link with working template.
- No disclosure. Fragment (part after #) is not sent on server side, so I am not able to track CSRFs you currently research (Github Pages don't have server side anyway). Link to template contains all information inside.
- Auto-submit for more fun, Base64 makes URL longer but hides the template.
- Add new fields and modify existing ones, change request method and endpoint path seamlessly.
- Post into iframe (which is carefully sandboxed) or a new window, try Referrer-free submission and so on.
tell me whatcha gonna do???
Everything is free but donations are welcome :) PayPal: firstname.lastname@example.org