Using Parameter Pollution and Clickjacking to Aid Anti-CSRF Bypass

Thursday, March 11, 2010

Cross-Posted from Robert "RSnake" Hansen's blog at:
http://ha.ckers.org/blog/20100311/using-parameter-pollution-and-clickjacking-to-aid-anti-csrf-bypass/

It’s been a while since I’ve talked about Clickjacking, with only a few exceptions here and there. Mostly because I haven’t seen it much in the wild - at least not yet. But there’s still a lot of research out there to be done. I got an interesting email the other day that talked about a way to use parameter pollution (or a mix of URL parameters and POST) to create a condition where you can defeat CSRF tokens:

The technique, found by Lava Kuppan describes a scenario where a mix of CSRF, parameter pollution and Clickjacking can defeat CSRF tokens in JSP and (sometimes) in ASP.NET. It’s worth a read. I did briefly mention using CSRF to pre-populate fields that may be necessary to create a Clickjacking scenario during Jeremiah and my brief talk at the world OWASP in New York. But this takes it to a new level, where you can pre-load information in such a way that it will actually defeat the application logic in the process. Anyway, cool stuff by Lava.

Possibly Related Articles:
10467
Vulnerabilities Webappsec->General
Web Application Security Clickjacking
Post Rating I Like this!