Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- HTML form without CSRF protection
- Vulnerability description
- This alert may be a false positive, manual confirmation is required.
- Cross-site request forgery, also known as a one-click attack or session riding and abbreviated as CSRF or XSRF, is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts.
- Acunetix WVS found a HTML form with no apparent CSRF protection implemented. Consult details for more information about the affected HTML form.
- This vulnerability affects /formtest/form.cfm.
- Discovered by: Crawler.
- Attack details
- Form name: <empty>
- Form action: http://od/formtest/form_action.cfm
- Form method: POST
- Form inputs:
- token [Hidden]
- username [Text]
- userpass [Password]
- login [Submit]
- View HTTP headers
- Request
- GET /formtest/form.cfm HTTP/1.1
- Pragma: no-cache
- Acunetix-Aspect: enabled
- Acunetix-Aspect-Password: 082119f75623eb7abd7bf357698ff66c
- Acunetix-Aspect-Queries: filelist;aspectalerts
- Cookie: JSESSIONID=84307a2a1f386954cda232165516344e6c30
- Host: od
- Connection: Keep-alive
- Accept-Encoding: gzip,deflate
- User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
- Accept: */*
- Response
- HTTP/1.1 200 OK
- Content-Type: text/html; charset=UTF-8
- Server: Microsoft-IIS/7.5
- X-Powered-By: ASP.NET
- Date: Thu, 16 Aug 2012 16:15:55 GMT
- Content-Length: 944
- View HTML response
- Launch the attack with HTTP Editor
- Retest alert(s)
- Mark this alert as a false positive
- The impact of this vulnerability
- An attacker may force the users of a web application to execute actions of the attacker's choosing. A successful CSRF exploit can compromise end user data and operation in case of normal user. If the targeted end user is the administrator account, this can compromise the entire web application.
- How to fix this vulnerability
- Check if this form requires CSRF protection and implement CSRF countermeasures if necessary.
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement