Cross Site Request Forgery (CSRF) PoC Template (by Javascript)


 

@ScriptName: Cross Site Request Forgery (CSRF) PoC Template 

@Purposes: For any Legal/Ethical Educational Security Researches Only (without any WARRANTY). You can create your own CSRF PoCs by using this template. Author does not accept any responsibility or liability for the use or misuse of this code. 

@Tested Environments: IE, Mozilla Firefox, Opera, Chrome, Safari 

@IDE: Notepad++ 

@Author: Soroush Dalili – IRSDL 4T_YAH00_D0T_C0M 

@Website: http://soroush.secproject.com/blog/projects/csrf_poc_template/ 

@Code: https://code.google.com/p/csrf-poc-template-by-js/



Download Link:
https://code.google.com/p/csrf-poc-template-by-js/downloads/list 

Introduction

CSRF PoC template is a JavaScript code which is very useful for security researchers and simplifies the art of creating CSRF Proof of Concepts. I also think this template will help the developers and security learners to see how a CSRF attack works; then they can improve the protection methods and also the attack techniques. If you do not have any knowledge about CSRF please read these references first: 

-          http://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29 

-          http://www.cgisecurity.com/csrf-faq.html 

Please do not run this code against any website other than yours. And, I do not accept any responsibility for any usage and misusage of this code. 

What is inside?

This template has been written in JavaScript language. Although this code is not free of fault, it is working quite well for me. Please send me your suggestions and bugs through my email or my blog. I will try to fix and improve this code whenever I receive your feedback and also have free time. 

I wanted to write this code as simple as possible, and it was around 10 lines of code at first. However, by adding more features during the time, it became more complicated. But, don’t worry; you do not need to understand the JavaScript codes as you can set all of your favorite modes in the “Configuration” section. However, I think the codes are clear enough for those who are familiar with JavaScript if they want to modify it as well. 

How to use?

If you are using the provided template, you only need to initialize the configuration settings and input variables in “Configuration” section, and then you need to put this JavaScript code in your webpage. 

Note 1: “Configuration” section starts with “/*{START- Configuration*/” and ends with “/*END- Configuration}*/”. 

The “Running” section is for executing the code which you can change yourself. 

Note 2: “Running” section starts with “/*{START- Running*/” and ends with “/*END- Running}*/” 

Variables description:

-          debugMode: This is a Boolean variable. By setting this variable to “true”, it will show informational messages in case of finding an error. 

-          destinations: This is an Array of strings which includes the destination pages. Therefore, it is possible to send a request to several addresses at the same time. 

-          method: This is a String variable which keeps form’s submission method (“GET”, “POST”). However in a GET method, if you do not have dynamic variables, it is better to use an IMG tag instead of this large amount of code. 

-          targetWindow: This is a String variable. It is the target of the forms for submission. It will be ignored in case of using IFrame. 

-          formEncType: This is a String variable which is equal to ENCTYPE attribute of the forms. It can be for example: “multipart/form-data”, “application/x-www-form-urlencoded”, or “text/plain”  

-          displayOnBrowser: This is a Boolean variable. By setting this variable to “true”, you can view the HTML form before submission by having a “Submit” button.  

-          displaySpecialParamsOnly: This is a Boolean variable. By setting this variable to “true”, you will only view the HTML form of special variables before submission. It will be ignored if “displayOnBrowser” is “false”.  

-          useIFrame: This is an Array of several variables. It includes the IFrame configuration for submitting a form. “useIFrame .onload” can contain a Javascript function which will be executed in “onload” event of an IFrame (for the last one in “destinations” array).  

-          autoSubmit: This is a Boolean variable. By setting this variable to “true”, forms will be submitted automatically. If “displayOnBrowser” is “false”, this variable will be considered as “true”.  

-          continueAutoSubmit: This is a Boolean variable. It will work when the “autoSubmit” variable is “false”. By setting this variable to “true”, forms will be submitted automatically after pressing the “Submit” button.  

-          submitTimes: This is an Integer variable. It shows the submission times of a form.  

-          firstSubmisionDelay: This is an Integer variable. The first submission can be delayed in case of having “autoSubmit” enabled. Unit of this value is Second.  

-          submisionInterval: This is an Integer variable. It shows a fixed delay between submissions. Unit of this value is Second.  

-          redirectToURL: This is a String variable. Page will be redirected to this URL after the last submission.  

-          redirectToURLDelay: This is an Integer variable. It indicates a delay before redirecting to “redirectToURL” parameter. Unit of this value is Second.  

-          redirectOnlyIFrame: This is a Boolean variable. By setting this variable to “true”, in case of using an IFrame, only the IFrame will be redirected to the “redirectToURL” parameter.  

-          newTargetPerSubmission: This is a Boolean variable. By setting this variable to “true”, when “submitTimes” is more than one, it will create a new target for the form for each submission.  

-          runJavaScriptOnSubmit: This is a String variable. It can contain a JavaScript function which will be run on “onsubmit” event of a form.  

-          deniedReferrerList: This is an Array of Strings which includes a black-list of forbidden referrer URLs. These strings should be URL Encoded and are case sensitive. “['']” means that this option has been disabled. As an example it can contain: “['http://www.example.com/','?somevalue=%27test%20me%27']”. “allowedReferrerList” parameter should be disabled if you want to use this option.  

-          allowedReferrerList: This is an Array of Strings which includes a white-list of permitted referrer URLs. These strings should be URL Encoded and are case sensitive. “['']” means that this option has been disabled. As an example it can contain: “['http://www.example.com/','?somevalue=%27test%20me%27']”. In case of using this parameter, “deniedReferrerList” parameter will be ignored.  

-          Style: This is a String variable which can contain cascade style sheet of the page.  

-          inputParams: This is a String variable. This is the first way of putting inputs in a form. It can simply contain a local proxy (such as Fiddler or BurpProxy) request values.  

-          isQueryEncoded: This is a Boolean variable. In case of having encoded values in “inputParams”, this parameter should be set to “true”.  

-          inputDelimiter: This is a String variable. It is used to separate the input parameters.  

-          specialParams: This is an Array of special variables. These variables are used when you want to use a JavaScript function for creating the inputs’ values or hide other variables which are in “inputParams” by showing only these variables. There is also a way to create duplicated variables like this: “this.specialParams.test4 = this.specialParams.test3;”  

-          specialSuperDynParams: This is an Array of super dynamic variables. Each of these variables can contain a JavaScript function which can be executed before each submission.  

Default Values:

Default values in this template are only some examples, and you can change them based on the requirements. 

Several CSRF in a single page

If you want to perform several CSRF attacks in a single page, you only need to duplicate the “Variables_CSRF_PoC_Template” function with a new name which includes all the new configurations and input variables. Then, you can pass this new function, to the “Run_CSRF_PoC_Template” function. For example: 

“Run_CSRF_PoC_Template(new Variables_CSRF_PoC_Template_Set1);” 

“Run_CSRF_PoC_Template(new Variables_CSRF_PoC_Template_Set2);” 

Variable Interference

There should not be any interference between variable names of this JavaScript code and the default code of a specific page. However, the function names should be checked before any embedding as they should be unique. This is useful when you want to use a CSRF technique by using a XSS vulnerability. 

Browser Compatibility

This code should be compatible with the famous browsers such as Internet Explorer (7 and 8), Mozilla Firefox, Opera, Chrome, and Safari. Please let me know if you find any incompatibility in these browsers. 

JavaScript Compressor

It should be possible to use a JavaScript compressor such as “http://javascriptcompressor.com” in order to compress this code without having any error. Please let me know if you find any problem with a specific compressor. 

Please do not run this code against any website other than yours. And, I do not accept any responsibility for any usage and misusage of this code.


Download Link:
https://code.google.com/p/csrf-poc-template-by-js/downloads/list

5 Responses to Cross Site Request Forgery (CSRF) PoC Template (by Javascript)

  1. vahid says:

    So nice. It would be great if you were included a video, an example or some more details on how to use ;)

  2. Pingback: Week 35 in Review – 2010 | Infosec Events

  3. Pingback: Cross Site Request Forgery (CSRF) PoC Template

  4. aung says:

    If i found the error 405 when i test with the code is mean CSRF procted ?

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>