I am testing an application that doesn't use anti-csrf tokens for its requests. There are no users defined for this application as well. Well, in that case, how to carry out testing for csrf in this particular application?
Asked
Active
Viewed 227 times
1
-
No users defined - Do you no users setup or that the application does not support user accounts? – SilverlightFox Jun 12 '15 at 09:10
-
yes, the application looks like that. – user3601346 Jun 12 '15 at 09:34
1 Answers
1
Related: CSRF protection for unauthenticated requests, actions, searches or comments?.
This question is not a duplicate as you are asking how to test for it.
In just the same way you would test for normal CSRF. Instigate a request to the server that would simulate the request arriving cross-domain. That is:
Originandrefererheaders appropriately set.- No headers present that cannot be set cross-domain (e.g.
X-Requested-With). - No tokens present that an attacker cannot determine without crossing origins in the browser session.
Of course you can always test for it by actually hosting your own page to make a cross-domain request to the site you are testing (being careful to strip any additional tokens that wouldn't be known of course).
SilverlightFox
- 33,408
- 6
- 67
- 178