CSRF Redirector

December 1 / 2015

Yes, this is Cross-Site Request Forgery Redirector. If you are a fan of PHP, I am quite certain that you have heard of Chris Shiflett. He presented a CSRF Redirector. The idea is to re-route the GET request from one place to the POST request of another place which is the target site. As Chris has turned off this service, I think I had to rebuild it myself,for educational purpose, I insisted.

To recap, Alice had logged in to http://example.com, she had an active session. Eve sent a short but malicious link to Alice. That link rendered a HTML page containing a wicked iframe:

00
01 iframe src=”http://[target_site]/csrf_redirect.php?
02 csrf=http://example.com/buy_process.php?
03 pid=7|product=iPad2|price=899″ style=”display:none”

The purpose of the malicious short link was to make a purchase silently. You can read more details about CSRF by Chris Shiflett from CSRF attack.

I could not show the sourcecode here because wordpress trimmed all of my html tags, but you could get it from:

Download PHP-CSRF Redirector

I hope this might help you realise how dangerous CSRF is. Enjoy!!

Intrusion Discovery on Linux

SANS institute introduced intrusion discovery cheat sheet for system administrators. The cheat sheet suggests often used commands to find any…

CSRF Redirector

Yes, this is Cross-Site Request Forgery Redirector. If you are a fan of PHP, I am quite certain that you…

Smashing Flash Applications

Episode. 0X00 When we perform penetration testing against web applications, Flash embedded objects are in our scope. Even the stakeholder…

Intrusion Discovery on Linux

SANS institute introduced intrusion discovery cheat sheet for system administrators. The cheat sheet suggests often used commands to find any…

CSRF Redirector

Yes, this is Cross-Site Request Forgery Redirector. If you are a fan of PHP, I am quite certain that you…

Smashing Flash Applications

Episode. 0X00 When we perform penetration testing against web applications, Flash embedded objects are in our scope. Even the stakeholder…

Intrusion Discovery on Linux

SANS institute introduced intrusion discovery cheat sheet for system administrators. The cheat sheet suggests often used commands to find any…

CSRF Redirector

Yes, this is Cross-Site Request Forgery Redirector. If you are a fan of PHP, I am quite certain that you…

Smashing Flash Applications

Episode. 0X00 When we perform penetration testing against web applications, Flash embedded objects are in our scope. Even the stakeholder…