Posted by Kevin D. on 02/10/06 23:30

"Justin Koivisto" <justin@koivi.com> wrote in message
news:94-dnT4srOt-JHHeRVn-vw@onvoy.com...
> Justin Koivisto wrote:
>>
>> When I get in to the office, I'll set up a simple little form for
>> testing this out again. However, the first tests I ran didn't work at
>> all. Maybe I'll post the URL of the test form for others to take a try
>> at. ;)
>
> OK, I worked on this a bit, and I have been able to spoof through this.
> I will release some details and proof of concept when I have some more
> time (maybe tomorrow).
>
> --
> Justin Koivisto, ZCE - justin@koivi.com
> http://koivi.com

i'm very curious to see how you did spoof it... my own theory to spoof this
method is to manually create the session (cookie) on your own machine

in other words, the check you presented only works because the hidden form
token (which is easily copied and pasted onto the "spoofing" server) matches
the session token (i'm assuming this is stored in a cookie on the submitting
client)

i have no idea what it would take to manually create this cookie on your own
client, however

- kevin

[Back to original message]