[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] JSON-RPC Cross-Site Request Forgery little exploitation trick

To: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: [Full-disclosure] JSON-RPC Cross-Site Request Forgery little exploitation trick
From: DefenseCode <defensecode@xxxxxxxxxxxxxxx>
Date: Mon, 08 Oct 2012 00:21:29 +0200

Hi,

During penetration-test contract, we came across CSRF in JSON-RPC basedweb application.

Brief google search revealed some people saying that CSRF in JSON is hard
to exploit, and that these vulnerabilities can be ignored.
In fact, it's not that hard to exploit...

Here is how we exploited it - little trick about CSRF attacks onJSON-RPC based web applications.

Maybe it'll be useful to someone.

http://blog.defensecode.com/2012/09/cross-site-request-forgery-against.html

Regards
--
DefenseCode Team
ThunderScan - Audit your Web Application Source Code For Vulnerabilities
http://www.defensecode.com/subcategory/thunderscan-8

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: [Full-disclosure] Multiple vulnerabilities in Megapolis.Portal Manager
Next by Date: [Full-disclosure] [SECURITY] [DSA 2556-1] icedove security update
Previous by thread: [Full-disclosure] Multiple vulnerabilities in Megapolis.Portal Manager
Next by thread: [Full-disclosure] [SECURITY] [DSA 2556-1] icedove security update
Index(es):
- Date
- Thread