Paid Advertising
web application security lab

CSRF with Word Part II

Okay, I didn’t write part I, and really didn’t even know about it until today. Although I invented something like it months and months ago. But the first person to talk about CSRF within Word was Michael Daw. Very interesting concept. In the context that I was using a similar technique I was using it primarily as a web-bug. Michael Daw’s technique is good, but I like mine better, because it’s probably as noisy, however, it leaves no visible queues to the victim.

Michael includes a remote image (I’ve had mixed luck trying this myself). My failures in trying nearly the exact same thing were fixed when I came up with another way to inject embedded files into word. Those files were actually CSS elements that Word will happily go and fetch for you. Click here to get the scoop on how to inject CSS files into Word. Using this same technique you can easily turn this into a complex platform for doing many CSRFs through a single Word file. See what happens when no one tells me about these things? Sheesh! Nice work Michael, I just wish I had seen it when it came out!

2 Responses to “CSRF with Word Part II”

  1. Operation n » CSRF in MSWord Part II Says:

    […] RSnake decided to play a little with this idea and has published “CSRF with MSWord Part II” where he has uncovered a really neat way to backdoor .doc files by adding HTML into the META section of the document. This reminds me alot of the technique used by pdp in Backdooring Quicktime. I haven’t tested this yet but am already getting ideas… […]

  2. Rod Divilbiss Says:

    Might as well add a parameter to keep track of your Word Web Bugs.

    And don’t forget to modify the document properties before renaming to .doc.

    Web Bug
    Web Bug