Collecting ideas for a smoketest/demo
12 views
Skip to first unread message
Mario Heiderich
Nov 23, 2007, 5:41:11 PM11/23/07
to CSRFx
Hi!
It would be great to have a smoketest for CSRFx similar to the one
from PHPIDS. But I think setting up a usable and useful tool has quite
other requirements than a plain XSS test-form.
Here's a feature proposal:
- Call Page 2 from Page 1
- Page 2 has an unguessable URL via GET token - created by the CSRFx
- If Page 2 is being called the session is filled with a certain value
- indicated by a big red 'you did it' viewable on Page 1
- Page 2 listens to GET and POST - so Page one provides basic info, a
basic form and a reset button
- Page 1 provides jQuery for easier XHR
Any more ideas?
Greetings,
.mario
It would be great to have a smoketest for CSRFx similar to the one
from PHPIDS. But I think setting up a usable and useful tool has quite
other requirements than a plain XSS test-form.
Here's a feature proposal:
- Call Page 2 from Page 1
- Page 2 has an unguessable URL via GET token - created by the CSRFx
- If Page 2 is being called the session is filled with a certain value
- indicated by a big red 'you did it' viewable on Page 1
- Page 2 listens to GET and POST - so Page one provides basic info, a
basic form and a reset button
- Page 1 provides jQuery for easier XHR
Any more ideas?
Greetings,
.mario
Mario Heiderich
Nov 23, 2007, 5:46:29 PM11/23/07
to CSRFx
Also there could be a TEXTAREA which could be used to paste HTML code
for being displayed once on Page 1 after the submit. So it would be
possible to emulate HTML Injection attempts resulting in possible
CSRF. XSS would be disabled on this page though. Just A and IMG with
HREF and SRC.
On 23 Nov., 23:41, Mario Heiderich <Mario.Heider...@googlemail.com>
wrote:
for being displayed once on Page 1 after the submit. So it would be
possible to emulate HTML Injection attempts resulting in possible
CSRF. XSS would be disabled on this page though. Just A and IMG with
HREF and SRC.
On 23 Nov., 23:41, Mario Heiderich <Mario.Heider...@googlemail.com>
wrote:
Reply all
Reply to author
Forward
0 new messages