Nonce nonsense.

[pornophobic]

Regarding CSRF, if I were to have a web server type set up with curl capabilities on the very same computer/server that I’m accessing the site from, I could then use curl to fetch the page and scrape for the nonce before it’s expired.

 

This is all theory as I’ve had a script I’ve tried this on with different levels of CSRF protection (premade) and I was still able to create a bot for content generation that would log in to the site with CSRF set to maximum protection (no multiple tabs, etc.). I would simply spoof the user agent and grab the needed nonce for submitting to the next page.

 

I did this all using php and directly using cURL through the command line from the script and was able to generate forum/news posts, upload pictures and pretty much spam my own site (which did happen during the testing of this bot  ).

 

I’m new to CSRF and working on my own script with hopes to keep it secure, using nonces seems kind of redundant this way, doesn’t it? It’s easy to spoof user agents and referers using just curl. If I really wanted to automate requests and all that I could easily get to it on any other site if I were using this method.

 

Since I am still learning on the whole CSRF protection is there any suggested reading on the subject besides this site and google searching that could be suggested by any of you?

Also, are there methods of preventing what I just mentioned above?

I've done some extensive research into using curl and am pretty handy with using it now, I just haven't put effort into preventing forged requests using curl.

 

I mainly did it for the purpose of learning methods of email scraping, password hijacking, etc, etc. I've figured out how to prevent the email scraping, but any other things I would like any input from others who are probably more experienced than myself. Thanks in advance.

[beta0x64]

True, but what's more is that what you have described is something like a Trojan and a CSRF combined. Not only have you stolen the nonce, but you are also coming from the same IP, the same UA, the same everything. You essentially are the user. The beauty of a "good" CSRF is that you can embed it into an image or something that even a remote user you're not familiar with can be attacked by. Yours is an extreme case that is less than favorable to the amateur hacker, and I would like to remind you that every system can be compromised (unless of course it's not plugged in! haha).

 

I would think a better vector would be to use WireShark or something to catch the nonce, if it's not HTTPS. Otherwise yours would probably be one of the few ways to pull that exploit off.