Page 1 of 3

CSRF. **testing page - view at your own risk**

PostPosted: Sun Mar 31, 2013 11:20 pm
by 3vilp4wn
Code: Select all
[img]http://www.hackthissite.org/?logout[/img]

Now go to the main site. You should be logged out.

-- Mon Apr 01, 2013 4:28 am --

Also, it might be hard to post replies.
I would start a new thread or use tamper data.
I feel like a troll :)

EDIT:
I submitted a bug report.

Well done. That was quite easy too. Can't believe that hasn't been filtered. ~fas

Re: CSRF logout.

PostPosted: Mon Apr 01, 2013 12:59 am
by fashizzlepop
I edited the above post to have CODE tags around the exploit. All that was done was load the hts logout script through image tags. Rather simple really.

Re: CSRF logout.

PostPosted: Mon Apr 01, 2013 7:10 am
by pretentious
This has really impressed me. I've been staring at this thread for the last 5 minutes just thinking about it. Nice...

Re: CSRF logout.

PostPosted: Mon Apr 01, 2013 9:01 am
by WallShadow
you've used this on logout, but what else could this be used on? not the settings page thats for sure.

Re: CSRF logout.

PostPosted: Mon Apr 01, 2013 9:08 am
by limdis
Well. lol.
Good find 3vilp4wn!

Re: CSRF logout.

PostPosted: Mon Apr 01, 2013 10:49 am
by 3vilp4wn
WallShadow wrote:you've used this on logout, but what else could this be used on? not the settings page thats for sure.


The settings page has what's called a CSRF token. that's a hidden field that has a bunch of random data in it that's also kept on the server. That stops CSRF from happening on pages like that. I would need to steal the token to change your settings.

Re: CSRF logout.

PostPosted: Mon Apr 01, 2013 8:07 pm
by WallShadow
3vilp4wn wrote:
WallShadow wrote:you've used this on logout, but what else could this be used on? not the settings page thats for sure.


The settings page has what's called a CSRF token. that's a hidden field that has a bunch of random data in it that's also kept on the server. That stops CSRF from happening on pages like that. I would need to steal the token to change your settings.


not only that, the submit method there is POST, so your fancy trick won't work there.

edit:

unless you perform this CSRF with a proper form and everything somehow hosted on this site (i'm fairly sure that it won't work cross domain)
edit edit:
scratch that, thats basically XSS already. point is, you can't pull of a POST from a CSRF as far as i know.

Re: CSRF logout.

PostPosted: Thu Apr 04, 2013 11:11 am
by 3vilp4wn
Just another test...
Code: Select all
[img]http://hts.io/su[/img]

EDIT: It's in code tags now...

-- Thu Apr 04, 2013 5:31 pm --

Yet another test.
Deleting comments!
Code: Select all
[img]http://hts.io/sy[/img]

EDIT: lolfail. I need to spoof the referrer.

Re: CSRF logout. **testing page - view at your own risk**

PostPosted: Thu Apr 04, 2013 12:54 pm
by limdis
Adding a warning label to the title. Just in case.

Re: CSRF logout. **testing page - view at your own risk**

PostPosted: Fri Apr 05, 2013 12:47 am
by 3vilp4wn
Yet *another* test!
Code: Select all
[img]https://www.hackthissite.org/pages/bugManagement/index.php?strAction=Flag&intBugID=4035[/img]

Once someone with FLAGB privs views this page, this bug report will be flagged. In theory. Now who *has* FLAGB privs, I don't know, but if you do, please say so. Thanks.

EDIT:
Exploit is in code tags now.