Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Adding a extra token for protection against CSRF attacks will only work if is changed on each request. Some of the biggest sites out there do not do this. I know of one site in particular (I won't name it, but its HUGE) that generates a unique token every time a user logs in. The token doesn't change until the user logs out even if the user closes the browser and doesn't go back to the site for a week, the token will be the same. So it does its job, until somebody like me pokes around and finds a hole that will parse out that token, and generate a form that can make any request on behalf of that user in a iframe without that user knowing a thing. Evil yes, but I found this months ago, and it still works..and I haven't used it in anyway, besides a proof of concept.


You shouldn't be able to get the token from another domain, regardless of how long it lasts. How are you able to?


Im getting it on the same domain, but the request can be sent from any domain, as long as the user is logged in.


Did you consider reporting it? Many such "huge" sites have bug bounty/white hat programs.


Im getting it on the same domain, but the request can be sent from any domain, as long as the user is logged in. And yeah, but they aren't offering anything that would be worth the time.


I think I know what site you're talking about. If I'm right, they do have a security bug bounty reporting program and you should take advantage of it: it will take maybe two minutes of your time and can net you a bit of cash! :-)

(sorry for being oblique, but I have no way to contact you privately and ask you more directly!)


I haven't made up my mind yet what to do with it but you know there are some ways of being evil without so much evil. ;]




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: