GitBook: [master] 3 pages and 6 assets modified@e741d40
Last updated
Was this helpful?
Last updated
Was this helpful?
GitBook: [master] 3 pages and 6 assets modified
Loading branch information
File renamed without changes.
File renamed without changes.
File renamed without changes.
@@ -128,7 +128,7 @@ The response is a JSON dictionary with some important data like:
* Signed using the **device identity certificate \(from APNS\)**
* **Certificate chain** includes expired **Apple iPhone Device CA**
### Step 6: Profile Installation
@@ -9,7 +9,7 @@ This is done by **making a logged in user** in the victim platform access an att
In order to be able to abuse a CSRF vulnerability you first need to **find a relevant action to abuse** \(change password or email, make the victim follow you on a social network, give you more privileges...\). The **session must rely only on cookies or HTTP Basic Authentication header**, any other header can't be used to handle the session. An finally, there **shouldn't be unpredictable parameters** on the request.
Several **counter-measures** could be in place to avoid this vulnerability.
Several **counter-measures** could be in place to avoid this vulnerability.
### **Common defenses**
@@ -73,14 +73,22 @@ In this situation, the attacker can again perform a CSRF **attack if the web sit
### Content-Type change
According to [**this**](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#simple_requests), n order to **avoid preflight** requests using **POST** method these are the allowed Content-Type values:
According to [**this**](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#simple_requests), in order to **avoid preflight** requests using **POST** method these are the allowed Content-Type values:
* **`application/x-www-form-urlencoded`**
* **`multipart/form-data`**
* **`text/plain`**
However, note that the **severs logic may vary** depending on the **Content-Type** used so you should try the values mentioned and others like **`application/json`**_**,**_**`text/xml`**, **`application/xml`**_._
### application/json preflight request bypass
As you already know, you cannot sent a POST request with the Content-Type **`application/json`** via HTML form, and if you try to do so via **`XMLHttpRequest`** a **preflight** request is sent first.
However, you could try to send the JSON data using the content types **`text/plain` and `application/x-www-form-urlencoded`** just to check if the backend is using the data independently of the Content-Type.
You can send a form using `Content-Type: text/plain` setting **`enctype="text/plain"`**
You could also try to **bypass** this restriction by using a **SWF flash file**. More more information [**read this post**](https://anonymousyogi.medium.com/json-csrf-csrf-that-none-talks-about-c2bf9a480937).
### Referrer / Origin check bypass
#### Avoid Referrer header
@@ -109,14 +117,14 @@ https://hahwul.com/.white_domain_com (X)
## **Exploit Examples**
### **Ex-filtrating CSRF Token**
### **Exfiltrating CSRF Token**
If a **CSRF token** is being used as **defence** you could try to **ex-filtrate it** abusing a [**XSS**](xss-cross-site-scripting/#xss-stealing-csrf-tokens) vulnerability or a [**Dangling Markup**](dangling-markup-html-scriptless-injection.md) vulnerability.
If a **CSRF token** is being used as **defence** you could try to **exfiltrate it** abusing a [**XSS**](xss-cross-site-scripting/#xss-stealing-csrf-tokens) vulnerability or a [**Dangling Markup**](dangling-markup-html-scriptless-injection.md) vulnerability.
### **GET using HTML tags**
```markup
"http://google.es?param=VALUE" style="display:none" />
The URL you are requesting is no longer available
```
@@ -66,7 +66,7 @@ In order to **find event listeners** in the current page you can:
* **Search** the JS code for ****`window.addEventListener` and `$(window).on` \(_JQuery version_\)
* **Execute** in the developer tools console: `getEventListeners(window)`
* **Go to** _Elements --> Event Listeners_ in the developer tools of the browser