Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Is CSRF possible without Cookies?

Tags:

http

cookies

csrf

I have been investigating this for some time, but I haven't found anything to satisfy my curiosity. Is it possible, as a user, to be the victim of a CSRF attack if cookies are disabled. Obviously CSRF depends on the users browser to send the user's credentials with the forged request to the legitimate server. Besides IP addresses, browsers don't automatically send in any other session values do they? In that case, as long as a user can login with cookies disabled, they would be safe from CSRF even on vulnerable websites.

like image 587
grossmae Avatar asked Sep 17 '10 01:09

grossmae


1 Answers

So, you have to ask yourself how does the server know one client from another? In majority of cases, it is the session cookie, but there are other ways as well.

Consider an admin application, that is configured to work only if accessed from localhost. Here, the server is trusting the IP Address of the browser. Now, if an attacker creates a page like <img src="http://localhost/do/something/harmful"/>, and somehow gets the administrator to visit his page, you have a CSRF.

Other examples include abusing Http basic and digest authentication, as Bruno already pointed out.

like image 75
Sripathi Krishnan Avatar answered Sep 28 '22 00:09

Sripathi Krishnan