0

I'm on a course and there is a bank application which I need to attack by getting users visit my site which instantly transfers X amount of money to my balance.

Their transaction form posts the recipient, the amount, and the a CSRF token at api/transfer.

I've already managed to get the user's CSRF token (based on this tutorial):

function jsonApi(json)
{
    var token = json["token"];
    console.log(token);
}
</script>
<script src="someUrl.com/api/getcsrf?api_key=xyz&nojsoncallback=0&format=json"></script>

The above url returns:

jsonApi({
    "token": "a-token"
})

So I have every required data to perform the transfer, but now I don't know how could I finish the task.

There is a form at someUrl.com/account for transfering money, and there is a POST method at someUrl.com/api/transfer.

Feel free to ask because there is a high chance that I have some useful extra information.

Tudvari
  • 123
  • 4
  • 1
    Try to create dummy form on your page, insert all data and automatically submit it. Browser will add cookies to it and transaction will be executed. – Matej Oct 15 '19 at 06:38
  • I think it will be blocked by CORS. Just as I can't send XHR requests, I can't use forms with onSubmit on another domain, right? – Tudvari Oct 15 '19 at 06:39
  • 1
    CORS will block it if request is by XHR but if request is form with vulnerable domain in action, browser will do this and user will be on the bank site with submitted form. – Matej Oct 15 '19 at 06:42
  • Ohhh, then I will try it as soon as I get home. Thanks. Why is this though? What is the reason behind not implementing CORS to submitting as well? – Tudvari Oct 15 '19 at 06:50
  • 1
    Sometimes it's useful to submit form to different domain. Also attack is limited by only one request so you can't make multiple request like in XHR. – Matej Oct 15 '19 at 06:57
  • Thanks, it works! – Tudvari Oct 15 '19 at 11:46
  • 1
    Great! You're welcome – Matej Oct 15 '19 at 16:34

0 Answers0