Fun With CSRF

Live site with CSRF exploit

Info: I change a user's password & text via CSRF Many other things could have been done as you should be able to see in this video.

http://4filehosting.com/file/12235/funwithcsrf-rar.html

**the site has been patched, so don't go fcking with it…

just watched it. nice work;) hope you do another one because that one was quite good

Very nice XSS/CSRF!

Wouldn't it have been possible to create an XSS worm by making whoever viewed your profile post the same on their profile as well?

that's not possible?, the server has to use $_REQUEST for that to work, images are sent in $_GET aren't they? so you can't do a $_POST with images without the server using REQUEST…

quote me if im wrong :S

HackingForce wrote: that's not possible?, the server has to use $_REQUEST for that to work, images are sent in $_GET aren't they? so you can't do a $_POST with images without the server using REQUEST…

quote me if im wrong :S you're wrong. you CAN do it with post

just watched it. very cool. taught me things. excellent work.

Hey dude can you reup the vid?

Wow, good job necro-ing a thread thats been dead for a year and a half. Last Post ( 09-06-07 ) . Next time check before you post.

st3f0 wrote: Hey dude can you reup the vid?

Contact nights_shadow and ask him for funwithcsrf.avi. He'll sort you out.