[WEB SECURITY] CSRF Attacks on Network Devices
mustlive at websecurity.com.ua
Thu Feb 23 16:55:55 EST 2012
Hello participants of Mailing List.
In April 2011 I've published to the list my article "Attacks on unprotected
In this article I've told you about different possible attacks on login
forms. Such attacks can be conducted on login forms of web applications,
including the control panels of network devices. And in 2011, besides
disclosing many vulnerabilities in different web applications concerned with
authentication forms, I've also disclosed many vulnerabilities in network
devices, such as routers and Wi-Fi access points.
One of the attacks on login form, which I've describe in the article - it's
CSRF attack for remote login. The attackers can use it to make sure, that
the victim is logged into the control panel for making further attacks on
different functionalities of the control panel. And during my disclosures of
vulnerabilities in network devices I showed such examples of CSRF holes in
login forms of the control panels of these devices (in my article I
mentioned that almost all network devices can be vulnerable to such CSRF,
like a lot of them are vulnerable to CSRF inside of the control panel).
And in my new article I've described this topic in details (with examples of
attacks on vulnerabilities in real network devices). So for everyone who is
interested in this topic I want to inform, that last week in the magazine
PenTest Extra 02/2012 was released my new article CSRF Attacks on Network
I've described two scenarios of the attacks and showed exploits for them. In
the first scenario the attacker will do part of the actions remotely and
part manually in admin panel, and in the second scenario the attacker will
do all the actions remotely.
You can download a teaser of this issue of the magazine with my article
There is a fragment of the article in it and you can read full version of
the article in the magazine. I hope it will be interesting for you.
As you can see, guys and gals, starting from this year I've moved to publish
my articles in PenTest magazine, and so minimized publications of my
articles to the list ;-). It can be good for some readers of the list, but
from other side, it will be good for the readers of the magazine.
Best wishes & regards,
Administrator of Websecurity web site
More information about the websecurity