3vilp4wn's (Un)offical CSRF/XSS Mission!

This is the place for ALL of the user submitted challenges. If you create a little challenge/mission/riddle/whatever, post it here.
Forum rules
Do not post missions that you did NOT create without proper citing.

3vilp4wn's (Un)offical CSRF/XSS Mission!

Post by 3vilp4wn on Fri Apr 19, 2013 10:37 pm
([msg=75238]see 3vilp4wn's (Un)offical CSRF/XSS Mission![/msg])

Hello HTS!

I recently made a CSRF/XSS mission for you to test your skills on.
I'm learning CSRF now and this seems a good way to finish up my research on CSRF for the time being.

Here it is:

From: SomeRandomDude
Subject: My site got hacked!
Message: Hey man, it's SomeRandomDude from HackThisSite. My site just got
hacked, and some guy is using it to spread his crazy conspiracy theories. Can
you please take a look at it and try delete the post? thanks.
The site is "http://evilnh.x10.mx/hts/CSRF".
Thanks,
SomeRandomDude

Help SomeRandomDude delete the post!

Mission by 3vilp4wn, post text by Ninjex.
Do not mistake understanding for realization, and do not mistake realization for liberation
Evil Ninja Hackers
???
٩(͡๏̯͡๏)۶

1A4EAMboaXpgvUSmtRbVRqbfJrbyuGhyoo
User avatar
3vilp4wn
Poster
Poster
 
Posts: 144
Joined: Sun Feb 10, 2013 2:05 am
Location: The darkness.
Blog: View Blog (0)


Re: 3vilp4wn's (Un)offical CSRF/XSS Mission!

Post by -Ninjex- on Sat Apr 20, 2013 12:21 am
([msg=75240]see Re: 3vilp4wn's (Un)offical CSRF/XSS Mission![/msg])

I guess I am a crazy guy now? haha

Nice challenge, I really liked it!
If you're not willing to learn, no one can help you. If you're determined to learn, no one can stop you.⠠⠵
The absence of evidence is not evidence of absence.
I can explain it for you, but I can't understand it for you.
User avatar
-Ninjex-
Addict
Addict
 
Posts: 1308
Joined: Sun Sep 02, 2012 8:02 pm
Blog: View Blog (0)


Re: 3vilp4wn's (Un)offical CSRF/XSS Mission!

Post by 0phidian on Sat Apr 20, 2013 12:50 am
([msg=75241]see Re: 3vilp4wn's (Un)offical CSRF/XSS Mission![/msg])

That was a little too easy. Just curious are there multiple ways of solving this, or just the one?

Damn, Ninjex you wrote a book. I didnt know you felt so strongly, lol.
User avatar
0phidian
Poster
Poster
 
Posts: 270
Joined: Sat Jun 16, 2012 7:04 pm
Blog: View Blog (0)


Re: 3vilp4wn's (Un)offical CSRF/XSS Mission!

Post by -Ninjex- on Sat Apr 20, 2013 1:15 am
([msg=75242]see Re: 3vilp4wn's (Un)offical CSRF/XSS Mission![/msg])

0phidian wrote:That was a little too easy. Just curious are there multiple ways of solving this, or just the one?

Damn, Ninjex you wrote a book. I didnt know you felt so strongly, lol.


Yeah, it was pretty long, took me a while xD

As of now, there are only two ways.
The method is the same, but in the code, you can use double or single quotes.
If you're not willing to learn, no one can help you. If you're determined to learn, no one can stop you.⠠⠵
The absence of evidence is not evidence of absence.
I can explain it for you, but I can't understand it for you.
User avatar
-Ninjex-
Addict
Addict
 
Posts: 1308
Joined: Sun Sep 02, 2012 8:02 pm
Blog: View Blog (0)


Re: 3vilp4wn's (Un)offical CSRF/XSS Mission!

Post by 3vilp4wn on Sat Apr 20, 2013 1:53 am
([msg=75243]see Re: 3vilp4wn's (Un)offical CSRF/XSS Mission![/msg])

0phidian wrote:That was a little too easy.

Keep in mind that if this was a real mission, you wouldn't be told "CSRF/XSS," but yes, it's fairly easy.

0phidian wrote:Just curious are there multiple ways of solving this, or just the one?

Just one so far (2 if you count the quotes), but I plan on adding more!
Do not mistake understanding for realization, and do not mistake realization for liberation
Evil Ninja Hackers
???
٩(͡๏̯͡๏)۶

1A4EAMboaXpgvUSmtRbVRqbfJrbyuGhyoo
User avatar
3vilp4wn
Poster
Poster
 
Posts: 144
Joined: Sun Feb 10, 2013 2:05 am
Location: The darkness.
Blog: View Blog (0)


Re: 3vilp4wn's (Un)offical CSRF/XSS Mission!

Post by hellow533 on Sat Apr 20, 2013 3:37 am
([msg=75244]see Re: 3vilp4wn's (Un)offical CSRF/XSS Mission![/msg])

You sure love your CSRF don't you evilpawn?

-- Sat Apr 20, 2013 9:35 pm --

I did the CSRF, got the You win!thing, and then I sat there for like 10 minutes looking around before I realized there are no other exploits..
Last edited by hellow533 on Sat Apr 20, 2013 6:40 am, edited 1 time in total.
“Teach me how to hack!”
"What, like, with an axe?"
User avatar
hellow533
Contributor
Contributor
 
Posts: 506
Joined: Thu Jan 29, 2009 3:27 pm
Blog: View Blog (0)


Re: 3vilp4wn's (Un)offical CSRF/XSS Mission!

Post by WallShadow on Sat Apr 20, 2013 6:38 am
([msg=75249]see Re: 3vilp4wn's (Un)offical CSRF/XSS Mission![/msg])

neat little mission, i've got to test this stuff out myself
User avatar
WallShadow
Contributor
Contributor
 
Posts: 594
Joined: Tue Mar 06, 2012 9:37 pm
Blog: View Blog (0)


Re: 3vilp4wn's (Un)offical CSRF/XSS Mission!

Post by 3vilp4wn on Sat Apr 20, 2013 3:16 pm
([msg=75258]see Re: 3vilp4wn's (Un)offical CSRF/XSS Mission![/msg])

hellow533 wrote:You sure love your CSRF don't you evilpawn

Well, this seemed a good way to finish up my learning about CSRF for the time being, soon I'll start researching something else :D

hellow533 wrote:I did the CSRF, got the You win!thing, and then I sat there for like 10 minutes looking around before I realized there are no other exploits..

Yeah, it's fairly strict right now...

WallShadow wrote:neat little mission, i've got to test this stuff out myself

Thanks!
Do not mistake understanding for realization, and do not mistake realization for liberation
Evil Ninja Hackers
???
٩(͡๏̯͡๏)۶

1A4EAMboaXpgvUSmtRbVRqbfJrbyuGhyoo
User avatar
3vilp4wn
Poster
Poster
 
Posts: 144
Joined: Sun Feb 10, 2013 2:05 am
Location: The darkness.
Blog: View Blog (0)


Re: 3vilp4wn's (Un)offical CSRF/XSS Mission!

Post by mookalovesgloop on Sat Apr 20, 2013 5:06 pm
([msg=75261]see Re: 3vilp4wn's (Un)offical CSRF/XSS Mission![/msg])

i did it!! :mrgreen:

with a few helpful nudges from ninjex, of course

peace
mooka
Image
gloop!
User avatar
mookalovesgloop
Poster
Poster
 
Posts: 167
Joined: Wed Apr 18, 2012 7:48 pm
Blog: View Blog (0)


Re: 3vilp4wn's (Un)offical CSRF/XSS Mission!

Post by 3vilp4wn on Sun Apr 21, 2013 10:21 pm
([msg=75274]see Re: 3vilp4wn's (Un)offical CSRF/XSS Mission![/msg])

mookalovesgloop wrote:i did it!! :mrgreen:

Nice job mooka! :D

mookalovesgloop wrote:with a few helpful nudges from ninjex, of course

For those of you who didn't see and need help:
(Highlight to view)
<Ninjex> mooka, imagine this scenario
<mookat1me> k
<Ninjex> you have a moderator who can delete posts on a forum right
<Ninjex> you as a regular user can not
<Ninjex> The way the moderator would delete the post is via a script somewhere somehow
<Ninjex> You have to be validated to use that script
<Ninjex> hence a regular user as yourself can not do that
<Ninjex> following me here?
<mookat1me> i think so
<Ninjex> Now, with CSRF, you can have that script execute automatically inside of an <img></img> tag assuming someone is looking at it, it will execute on their end
<mookat1me> omg! i'm remembering things now
<mookat1me> ok hold on
<Ninjex> Yep
Do not mistake understanding for realization, and do not mistake realization for liberation
Evil Ninja Hackers
???
٩(͡๏̯͡๏)۶

1A4EAMboaXpgvUSmtRbVRqbfJrbyuGhyoo
User avatar
3vilp4wn
Poster
Poster
 
Posts: 144
Joined: Sun Feb 10, 2013 2:05 am
Location: The darkness.
Blog: View Blog (0)


Next

Return to User Submitted

Who is online

Users browsing this forum: No registered users and 0 guests