CSRF. **testing page - view at your own risk**

General technological topics without their own forum go here

CSRF. **testing page - view at your own risk**

Post by 3vilp4wn on Sun Mar 31, 2013 11:20 pm
([msg=74831]see CSRF. **testing page - view at your own risk**[/msg])

Code: Select all
[img]http://www.hackthissite.org/?logout[/img]

Now go to the main site. You should be logged out.

-- Mon Apr 01, 2013 4:28 am --

Also, it might be hard to post replies.
I would start a new thread or use tamper data.
I feel like a troll :)

EDIT:
I submitted a bug report.

Well done. That was quite easy too. Can't believe that hasn't been filtered. ~fas
Last edited by 3vilp4wn on Fri Apr 05, 2013 11:50 am, edited 2 times in total.
Do not mistake understanding for realization, and do not mistake realization for liberation
Evil Ninja Hackers
???
٩(͡๏̯͡๏)۶

1A4EAMboaXpgvUSmtRbVRqbfJrbyuGhyoo
User avatar
3vilp4wn
Poster
Poster
 
Posts: 144
Joined: Sun Feb 10, 2013 2:05 am
Location: The darkness.
Blog: View Blog (0)


Re: CSRF logout.

Post by fashizzlepop on Mon Apr 01, 2013 12:59 am
([msg=74833]see Re: CSRF logout.[/msg])

I edited the above post to have CODE tags around the exploit. All that was done was load the hts logout script through image tags. Rather simple really.
The glass is neither half-full nor half-empty; it's merely twice as big as it needs to be.
User avatar
fashizzlepop
Developer
Developer
 
Posts: 2304
Joined: Sat May 24, 2008 1:20 pm
Blog: View Blog (0)


Re: CSRF logout.

Post by pretentious on Mon Apr 01, 2013 7:10 am
([msg=74835]see Re: CSRF logout.[/msg])

This has really impressed me. I've been staring at this thread for the last 5 minutes just thinking about it. Nice...
Goatboy wrote:Oh, that's simple. All you need to do is dedicate many years of your life to studying security.

IF you feel like exchanging ASCII arrays, let me know ;)
pretentious wrote:Welcome to bat country
User avatar
pretentious
Poster
Poster
 
Posts: 458
Joined: Wed Mar 03, 2010 12:48 am
Blog: View Blog (0)


Re: CSRF logout.

Post by WallShadow on Mon Apr 01, 2013 9:01 am
([msg=74838]see Re: CSRF logout.[/msg])

you've used this on logout, but what else could this be used on? not the settings page thats for sure.
User avatar
WallShadow
Contributor
Contributor
 
Posts: 594
Joined: Tue Mar 06, 2012 9:37 pm
Blog: View Blog (0)


Re: CSRF logout.

Post by limdis on Mon Apr 01, 2013 9:08 am
([msg=74840]see Re: CSRF logout.[/msg])

Well. lol.
Good find 3vilp4wn!
"The quieter you become, the more you are able to hear..."
"Drink all the booze, hack all the things."
User avatar
limdis
Moderator
Moderator
 
Posts: 1166
Joined: Mon Jun 28, 2010 5:45 pm
Blog: View Blog (0)


Re: CSRF logout.

Post by 3vilp4wn on Mon Apr 01, 2013 10:49 am
([msg=74841]see Re: CSRF logout.[/msg])

WallShadow wrote:you've used this on logout, but what else could this be used on? not the settings page thats for sure.


The settings page has what's called a CSRF token. that's a hidden field that has a bunch of random data in it that's also kept on the server. That stops CSRF from happening on pages like that. I would need to steal the token to change your settings.
Do not mistake understanding for realization, and do not mistake realization for liberation
Evil Ninja Hackers
???
٩(͡๏̯͡๏)۶

1A4EAMboaXpgvUSmtRbVRqbfJrbyuGhyoo
User avatar
3vilp4wn
Poster
Poster
 
Posts: 144
Joined: Sun Feb 10, 2013 2:05 am
Location: The darkness.
Blog: View Blog (0)


Re: CSRF logout.

Post by WallShadow on Mon Apr 01, 2013 8:07 pm
([msg=74851]see Re: CSRF logout.[/msg])

3vilp4wn wrote:
WallShadow wrote:you've used this on logout, but what else could this be used on? not the settings page thats for sure.


The settings page has what's called a CSRF token. that's a hidden field that has a bunch of random data in it that's also kept on the server. That stops CSRF from happening on pages like that. I would need to steal the token to change your settings.


not only that, the submit method there is POST, so your fancy trick won't work there.

edit:

unless you perform this CSRF with a proper form and everything somehow hosted on this site (i'm fairly sure that it won't work cross domain)
edit edit:
scratch that, thats basically XSS already. point is, you can't pull of a POST from a CSRF as far as i know.
User avatar
WallShadow
Contributor
Contributor
 
Posts: 594
Joined: Tue Mar 06, 2012 9:37 pm
Blog: View Blog (0)


Re: CSRF logout.

Post by 3vilp4wn on Thu Apr 04, 2013 11:11 am
([msg=74902]see Re: CSRF logout.[/msg])

Just another test...
Code: Select all
[img]http://hts.io/su[/img]

EDIT: It's in code tags now...

-- Thu Apr 04, 2013 5:31 pm --

Yet another test.
Deleting comments!
Code: Select all
[img]http://hts.io/sy[/img]

EDIT: lolfail. I need to spoof the referrer.
Last edited by 3vilp4wn on Thu Apr 04, 2013 1:38 pm, edited 1 time in total.
Do not mistake understanding for realization, and do not mistake realization for liberation
Evil Ninja Hackers
???
٩(͡๏̯͡๏)۶

1A4EAMboaXpgvUSmtRbVRqbfJrbyuGhyoo
User avatar
3vilp4wn
Poster
Poster
 
Posts: 144
Joined: Sun Feb 10, 2013 2:05 am
Location: The darkness.
Blog: View Blog (0)


Re: CSRF logout. **testing page - view at your own risk**

Post by limdis on Thu Apr 04, 2013 12:54 pm
([msg=74909]see Re: CSRF logout. **testing page - view at your own risk**[/msg])

Adding a warning label to the title. Just in case.
"The quieter you become, the more you are able to hear..."
"Drink all the booze, hack all the things."
User avatar
limdis
Moderator
Moderator
 
Posts: 1166
Joined: Mon Jun 28, 2010 5:45 pm
Blog: View Blog (0)


Re: CSRF logout. **testing page - view at your own risk**

Post by 3vilp4wn on Fri Apr 05, 2013 12:47 am
([msg=74925]see Re: CSRF logout. **testing page - view at your own risk**[/msg])

Yet *another* test!
Code: Select all
[img]https://www.hackthissite.org/pages/bugManagement/index.php?strAction=Flag&intBugID=4035[/img]

Once someone with FLAGB privs views this page, this bug report will be flagged. In theory. Now who *has* FLAGB privs, I don't know, but if you do, please say so. Thanks.

EDIT:
Exploit is in code tags now.
Last edited by 3vilp4wn on Fri Apr 05, 2013 10:32 am, edited 1 time in total.
Do not mistake understanding for realization, and do not mistake realization for liberation
Evil Ninja Hackers
???
٩(͡๏̯͡๏)۶

1A4EAMboaXpgvUSmtRbVRqbfJrbyuGhyoo
User avatar
3vilp4wn
Poster
Poster
 
Posts: 144
Joined: Sun Feb 10, 2013 2:05 am
Location: The darkness.
Blog: View Blog (0)


Next

Return to General

Who is online

Users browsing this forum: No registered users and 0 guests