Digg.com transparent iframe CSRF PoC

27 May 2008

As I promised here yesterday, here is your working PoC:

A page that diggs itself
Or a local example, http://own-the.net/poc/digg_csrf/index.html

Works on IE and Firefox, but not in Opera. A simple USER_AGENT check could solve the problem, though. I just didn't want to re-measure the whole thing.

View the source to see all the inner workings of the PoC. I used 2 divs with a high z-index above the iframe in order to prevent clicks on unwanted parts of the page. Come to think of it, it's a pretty important thing to do.

Play with the "opacity" settings in the CSS to see the positioning of the blocks. The code is commented, so I guess it won't be too hard to alter. I won't get into the "math" used for the absolute-positioning of everything, as it's also in the comments.

Don't forget to comment if you've got any thoughts or suggestions.

Posted by: kGen | In category: CSRF (XSRF) | Comments (3)

Archive

By category

Digg.com transparent iframe CSRF PoC