Hi, 
Guest
Pic
Sign In

websecurity@lists.webappsec.org

The Web Security Mailing List

View all threads

Re: [WEB SECURITY] JSON-RPC Cross-Site Request Forgery little exploitation trick

M
MustLive
Wed, Oct 17, 2012 8:56 PM

Hello DefenseCode Team!

I found your letter and the topic of your article interesting.

First, even hard to exploit vulnerabilities should be fixed, like all
vulnerabilities.

Second, concerning CSRF in JSON-RPC based web application.

All web applications, which uses XML-RPC (such as WordPress and other CMS)
and/or JSON-RPC, which I saw, were not using authorization state and so were
not vulnerable to CSRF attacks. Like those web applications at web site of
one my client (Ukrainian electronic money system and payment card
processor), for which I've made pentest at the beginning of 2012. These web
applications supported both XML-RPC and JSON-RPC and were immune to CSRF.
Because they have no authorization state (only authentication) and so a
priory can't be attacked via CSRF (and so have no CSRF vulnerabilities).

So it was interesting which webapp you are talking about. From your article
it's not seen anything concerning authentication and authorization. So it
looks like this webapp is receiving requests from authenticated user and
check authorization by other means (like cookies). In this case such CSRF
attack, described by you, is possible (like in any ordinary webapp). But, as
I've said, all XML-RPC and/or JSON-RPC based web applications, which I saw,
had no problems with CSRF (were immune to it), because every request must be
with username and password. But instead of CSRF these webapps faced
Insufficient Anti-automation vulnerabilities ;-).

Best wishes & regards,
Eugene Dokukin aka MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

[WEB SECURITY] JSON-RPC Cross-Site Request Forgery little exploitation trick
DefenseCode defensecode at defensecode.com
Sun Oct 7 18:21:29 EDT 2012

Hi,

During penetration-test contract, we came across CSRF in JSON-RPC based
web application.
Brief google search revealed some people saying that CSRF in JSON is hard
to exploit, and that these vulnerabilities can be ignored.
In fact, it's not that hard to exploit...
Here is how we exploited it - little trick about CSRF attacks on
JSON-RPC based web applications.
Maybe it'll be useful to someone.

http://blog.defensecode.com/2012/09/cross-site-request-forgery-against.html

Regards

DefenseCode Team
ThunderScan - Audit your Web Application Source Code For Vulnerabilities
http://www.defensecode.com/subcategory/thunderscan-8

Hello DefenseCode Team! I found your letter and the topic of your article interesting. First, even hard to exploit vulnerabilities should be fixed, like all vulnerabilities. Second, concerning CSRF in JSON-RPC based web application. All web applications, which uses XML-RPC (such as WordPress and other CMS) and/or JSON-RPC, which I saw, were not using authorization state and so were not vulnerable to CSRF attacks. Like those web applications at web site of one my client (Ukrainian electronic money system and payment card processor), for which I've made pentest at the beginning of 2012. These web applications supported both XML-RPC and JSON-RPC and were immune to CSRF. Because they have no authorization state (only authentication) and so a priory can't be attacked via CSRF (and so have no CSRF vulnerabilities). So it was interesting which webapp you are talking about. From your article it's not seen anything concerning authentication and authorization. So it looks like this webapp is receiving requests from authenticated user and check authorization by other means (like cookies). In this case such CSRF attack, described by you, is possible (like in any ordinary webapp). But, as I've said, all XML-RPC and/or JSON-RPC based web applications, which I saw, had no problems with CSRF (were immune to it), because every request must be with username and password. But instead of CSRF these webapps faced Insufficient Anti-automation vulnerabilities ;-). Best wishes & regards, Eugene Dokukin aka MustLive Administrator of Websecurity web site http://websecurity.com.ua [WEB SECURITY] JSON-RPC Cross-Site Request Forgery little exploitation trick DefenseCode defensecode at defensecode.com Sun Oct 7 18:21:29 EDT 2012 > Hi, > > During penetration-test contract, we came across CSRF in JSON-RPC based > web application. > Brief google search revealed some people saying that CSRF in JSON is hard > to exploit, and that these vulnerabilities can be ignored. > In fact, it's not that hard to exploit... > Here is how we exploited it - little trick about CSRF attacks on > JSON-RPC based web applications. > Maybe it'll be useful to someone. > > http://blog.defensecode.com/2012/09/cross-site-request-forgery-against.html > > Regards > -- > DefenseCode Team > ThunderScan - Audit your Web Application Source Code For Vulnerabilities > http://www.defensecode.com/subcategory/thunderscan-8
Empathy v1.0   2024 ©Harmonylists.com