• 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
CSRF override

#1
Exclamation 
Hello,
csrf is useless. If you set up curl request where you set up cookie and post param with same values you can load the page witohout problems even if you should get: the action you requested is not allowed.
curl:
Code:
$poststring = 'csrf_test_name=123';
       $ch = curl_init ($url);
       curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 30);
       curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
       curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
       curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
       curl_setopt ($ch, CURLOPT_POST, true);
       curl_setopt ($ch, CURLOPT_POSTFIELDS, $poststring);
       curl_setopt($ch, CURLINFO_HEADER_OUT, true);
       curl_setopt($ch, CURLOPT_HTTPHEADER, array("Cookie: csrf_cookie_name=123"));
       $output = curl_exec ($ch);
       curl_close($ch);



Made also issue at github: https://github.com/bcit-ci/CodeIgniter/issues/5244
Reply


Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


Users browsing this thread:
1 Guest(s)


  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2017 MyBB Group.