CSRF - Website hacking (legal)

[79wjd]

THIS IS PERFECTLY LEGAL AND I'M ALLOWED/SUPPOSED TO BE DOING THIS. 

 

I have an assignment where I have to use Cross-Site Request Forgery to break into a specific site provided by and run by the course/school. The goal is to have a user click a link (that I provide/make) that will automatically log that user into a specific account on the actual page that the user was trying to open. 

 

So: 

User wants to go to 'test.com' 

I give the user a link to 'mytest.com', which automatically logs the user into 'test.com' with the specific credentials I provide. 

The user browses 'test.com' under the account I provided. 

 

 

I'm not really sure how to go about doing this without going down the hack-y route of placing an invisible button to my form on top of an iFrame of 'test.com'. I was thinking creating a new html file ('mytest.com') with 'test.com' in an iFrame, but I'm not sure how to push the username/password to 'test.com's login form or how to redirect test.com's login-button press to my form.. (note, there are no CSRF defenses on the site)

[dannytech357]

6 minutes ago, djdwosk97 said:

THIS IS PERFECTLY LEGAL AND I'M ALLOWED/SUPPOSED TO BE DOING THIS. 

 

I have an assignment where I have to use Cross-Site Request Forgery to break into a specific site provided by and run by the course/school. The goal is to have a user click a link (that I provide/make) that will automatically log that user into a specific account on the actual page that the user was trying to open. 

 

So: 

User wants to go to 'test.com' 

I give the user a link to 'mytest.com', which automatically logs the user into 'test.com' with the specific credentials I provide. 

The user browses 'test.com' under the account I provided. 

 

 

I'm not really sure how to go about doing this, I was thinking creating a new html file ('mytest.com') with 'test.com' in an iFrame, but I'm not sure how to push the username/password to 'test.com's login form. (note, there are no CSRF defenses on the site)

Assuming the login form uses AJAX, the following code would work (using jQuery):

$("#submit").click(function() {
	$.ajax({
		url: "test.com/login",
		method: "POST",
		data: { username: $("#username").val(), password: $("#password").val() },
		success: function(data) {
			// Parse the response from the server here
		}
	});
});

This is basically doing what test.com's login page is doing. It's taking the value and pushing it to the server, and without CSRF protection, you can simply replicate that. If you're unsure what is being sent and what is being received, use Chrome Devtools or Firebug to check any XHR requests.

[Guest]

You provide a hidden form on your mytest.com page that works like a standard login form, but with the credentials filled in.

 

However, instead of setting the action to a page on mytest.com, you set it to the test.com page that accepts credentials.

 

Basically, the goal is to replicate the POST request that would be generated if a user logged in to test.com.

[79wjd]

1 hour ago, dannytech357 said:

Assuming the login form uses AJAX, the following code would work (using jQuery):

$("#submit").click(function() {
	$.ajax({
		url: "test.com/login",
		method: "POST",
		data: { username: $("#username").val(), password: $("#password").val() },
		success: function(data) {
			// Parse the response from the server here
		}
	});
});

This is basically doing what test.com's login page is doing. It's taking the value and pushing it to the server, and without CSRF protection, you can simply replicate that. If you're unsure what is being sent and what is being received, use Chrome Devtools or Firebug to check any XHR requests.

I'm not exactly sure how to go about this. 

 

So I load 'test.com' into a full window iframe. Then the user will input their credentials into the login field (on test.com) and click submit. At which point the login credentials need to be modified to the credentials I provide.

1 hour ago, SSL said:

You provide a hidden form on your mytest.com page that works like a standard login form, but with the credentials filled in.

 

However, instead of setting the action to a page on mytest.com, you set it to the test.com page that accepts credentials.

 

Basically, the goal is to replicate the POST request that would be generated if a user logged in to test.com.

I do believe I have to use Jquery since test.com has a bunch of css/assets. So I can't just make a mytest.com with the html of test.com with a slight modification to the login field. 

 

P.s. I can't use XSS

[dannytech357]

27 minutes ago, djdwosk97 said:

So I load 'test.com' into a full window iframe. Then the user will input their credentials into the login field (on test.com) and click submit. At which point the login credentials need to be modified to the credentials I provide.

So are you trying to make the form look the same...? If so. assuming the site doesn't have clickjacking protection and Framing is enabled, you should just be able to put it into an IFrame, and bind an event listener to the form, then you have the login credentials and can submit the form as yourself. If I completely misunderstood and you want your own form, use what I suggested using a custom form, and don't bother IFraming

[79wjd]

24 minutes ago, dannytech357 said:

So are you trying to make the form look the same...? If so. assuming the site doesn't have clickjacking protection and Framing is enabled, you should just be able to put it into an IFrame, and bind an event listener to the form, then you have the login credentials and can submit the form as yourself. If I completely misunderstood and you want your own form, use what I suggested using a custom form, and don't bother IFraming

What I want to happen is I want the user to click "login" in the iFrame, but I want to login via credentials that I input. So I just placed my login form submission button on top of the iframe's login button and made my button invisible. So if the user clicks login he's actually clicking my login button. This obviously is a kind of hacky solution, so I'd prefer to do it in a less hack-y way. 

 

 

What I'd like to happen: 

Either have the login button in the iFrame trigger the login button on my form OR replace the credentials in the iFrame's form with credentials I provide. 

[79wjd]

@dannytech357

 

bump

[dannytech357]

2 hours ago, djdwosk97 said:

What I want to happen is I want the user to click "login" in the iFrame, but I want to login via credentials that I input. So I just placed my login form submission button on top of the iframe's login button and made my button invisible. So if the user clicks login he's actually clicking my login button. This obviously is a kind of hacky solution, so I'd prefer to do it in a less hack-y way. 

 

 

What I'd like to happen: 

Either have the login button in the iFrame trigger the login button on my form OR replace the credentials in the iFrame's form with credentials I provide. 

Simply find the button id in the iframe, and add an event listener to it, or find the ids of the inputs and read from them on submit. Sorry I can't provide more, a little busy at the moment.

[79wjd]

Just now, dannytech357 said:

Simply find the button id in the iframe, and add an event listener to it, or find the ids of the inputs and read from them on submit. Sorry I can't provide more, a little busy at the moment.

I tried that, but I'm not sure how exactly to go about doing it. 

window.addEventListener('blur',function(){
      var iframe = $('#iframeID').contents();
      iframe.find("#log-in-btn").click(function(){
        alert("hello"); //temporary to see that it's working. 

        //This should somehow overwrite the login field or submit my hidden login form          that's outside the iframe.
      })
    });

 

 

I don't care what the inputted username/password are. I need to override them with the credentials I provide, or just make the submit button submit my form. Either way, I don't care about the contents of the form in the iframe. 

[Mr_KoKa]

You cannot alter iframe content due to cross-domain policy. test.com would need to allow your domain to access its stuff. Your idea of automatic login in your first post seems doable, just do what ssl said, or ajax request should work too, but ajax request wont work (reason similar to why you cannot modify iframes) , but attaching listeners to test.com's form submit button seems not, and it is browser who doesn't allow for it.

[79wjd]

16 minutes ago, Mr_KoKa said:

You cannot alter iframe content due to cross-domain policy. test.com would need to allow your domain to access its stuff. Your idea of automatic login in your first post seems doable, just do what ssl said, or ajax request should work too, but ajax request wont work (reason similar to why you cannot modify iframes) , but attaching listeners to test.com's form submit button seems not, and it is browser who doesn't allow for it.

Test.com is intentionally written with security holes that normally don't exist.

 

For the first part I just have to login with the credentials I provide regardless of what the user inputs. But for the second part, there is CSRF protection, and I need to get the cookie from the iframe if I am to use my own hidden form. 

[Mr_KoKa]

 

9 minutes ago, djdwosk97 said:

Test.com is intentionally written with security holes that normally don't exist.

But as I said, as far as I know, it is not site that prevents you from doing that, but browser.

Have you tried to access iframe contents? Does it work for you?

 

 

[79wjd]

3 minutes ago, Mr_KoKa said:

 

But as I said, as far as I know, it is not site that prevents you from doing that, but browser.

Have you tried to access iframe contents? Does it work for you?

 

 

Well, there is some way to access the token (which is in a hidden field in the login form), since that's the only way to bypass CSRF protection (which is the goal). I'm just not sure how to access it. 

 

I've tried to access iFrame contents, but I'm not sure if I'm doing it correctly. I'm just using alerts for the time being to eliminate any source of bugs/errors in the code since alerts are simple/obvious.

$('#frameID').load(function(){
        var iframe = $('#frameID').contents();
        iframe.find("#submitBut").click(function(){
         
          alert("hello");

        });
      });

    window.addEventListener('blur',function(){
      var iframe = $('#frameID').contents();
      iframe.find("#submitBut").click(function(){
        alert("hello");
      })
    });
   </script>

[dannytech357]

8 minutes ago, Mr_KoKa said:

 

But as I said, as far as I know, it is not site that prevents you from doing that, but browser.

Have you tried to access iframe contents? Does it work for you?

 

 

The browser only does it when X-Frame-Options is set (or a few other headers with various levels of support)

[Mr_KoKa]

2 minutes ago, djdwosk97 said:

Well, there is some way to access the token (which is in a hidden field in the login form), since that's the only way to bypass CSRF protection (which is the goal). I'm just not sure how to access it. 

 

I've tried to access iFrame contents, but I'm not sure if I'm doing it correctly. I'm just using alerts for the time being to eliminate any source of bugs/errors in the code since alerts are simple/obvious.

 

$('#frameID').load(function(){
        var iframe = $('#frameID').contents();
        iframe.find("#submitBut").click(function(){
         
          alert("hello");

        });
      });

    window.addEventListener('blur',function(){
      var iframe = $('#frameID').contents();
      iframe.find("#submitBut").click(function(){
        alert("hello");
      })
    });
   </script>

 

Does it alerts "hello" when you click that button? (Does it finds it?)

[79wjd]

4 minutes ago, Mr_KoKa said:

Does it alerts "hello" when you click that button? (Does it finds it?)

no, but it also doesn't alert me if I try it on the page itself and NOT in the iframe. (so with the below I have no iframes and it still doesn't alert me) 

 

<div id="test">

    <button id="button1">TryMe</button>

</div>

 

<script>

$('#test').load(function(){        

       var iframe = $('#test').contents();

       iframe.find("#button1").click(function(){          

             alert("hello");        

        });      

});

</script>

[Mr_KoKa]

6 minutes ago, dannytech357 said:

The browser only does it when X-Frame-Options is set (or a few other headers with various levels of support)

But that is about loading contents to iframe, I'm talking about modifying iframe.

4 minutes ago, djdwosk97 said:

no

That is what I'm talking about, browser protects you against it so other sites cannot steal your cookies.

[79wjd]

4 minutes ago, Mr_KoKa said:

But that is about loading contents to iframe, I'm talking about modifying iframe.

That is what I'm talking about, browser protects you against it so other sites cannot steal your cookies.

The method doesn't work within the page (no iframes being used) either. So I think there is something syntactically wrong with what I have above. 

 

I only see two ways of doing this: 

1. Overwriting the username/password field in the iframe when the user clicks submit (in the iframe). 
2. Getting access to the iframe's login fields and grabbing the token in the hidden field. So when the user clicks login in the iframe, my page grabs the token, adds it to my hidden form and then submits my form instead. 

So either there's another way I'm overlooking, or there are enough security holes intentionally left open to allow one of the above to occur. 

[Mr_KoKa]

Does the login form leaves username after bad login? Maybe there is XSS vulnerability?

 

P.S.: For the whole time I thought there is no CSRF protection. I don't know why, maybe because CSRF protection should protect , and if there is no protection CSRF is possible

[79wjd]

6 minutes ago, Mr_KoKa said:

Does the login form leaves username after bad login? Maybe there is XSS vulnerability?

There are two parts to the assignment.

1. The first part there is no CSRF protection and NO XSS vulnerability (this is the one that I solved by just putting an invisible login button to my form on top of the iframe). But I want to find a less hack-y way of doing this (either overwriting the contents of the login form in the iframe on click of the submit button in the iframe or by having the submit button in the iframe submit my form. 
2. The second part there IS csrf protection and XSS protection is disabled. 

So I can use XSS for the second part.

 

For your edit, CSRF protection (in terms of part 2 of this assignment) is just a token that's in a hidden text field in the login form. Presumably I just have to use XSS to grab that token or fill in the login form details. 

[KuJoe]

What kind of school are you going to where they make you do a project before teaching the material?

[Mr_KoKa]

As of point one you could just log the user in, but I guess you want user to think that user is logging with their credentials. And since you cannot access iframe's dom, the that clickjack is ok, as far it works. Are you concerned that button may end up in wrong spot in some window size configurations? There is a way to make 3rd click work as login always, no matter where you click, but that would work with assumption that user clicks every input to enter login/password and 3rd click would be usually click on login button.

 

if second part is XSS vulnerable then you're gtg, right?

[79wjd]

5 minutes ago, Mr_KoKa said:

As of point one you could just log the user in, but I guess you want user to think that user is logging with their credentials. And since you cannot access iframe's dom, the that clickjack is ok, as far it works. Are you concerned that button may end up in wrong spot in some window size configurations? There is a way to make 3rd click work as login always, no matter where you click, but that would work with assumption that user clicks every input to enter login/password and 3rd click would be usually click on login button.

 

if second part is XSS vulnerable then you're gtg, right?

My concern with part 1 is that I feel like it's not the way I'm supposed to do it (and thus won't get credit/full credit). 

 

For part two, I'm not exactly sure how to go about doing the XSS. I'm thinking something along the lines of: 

• Create my own form with the username and password fields set. 
• Wait for the user to press login in the iframe. 
• Grab the token from the iframe's form's hidden text field. 
• Add the token to my form. 
• Submit my form. 

 

Here's what I'm currently thinking, but I'm pretty confident my jquery isn't right, and I'm not sure how to redirect the button click to submit my form instead of theirs. 

mytest.com

 

<iframe id="frameid" src="test.com"></iframe>

 

<div style="visibility:  hidden;">

     <form id="myForm" method="post">

            <input id="csrf" type="hidden" value="">

            <input id="username" type="text" name="username" value="user0">

            <input id="pass" type="password" name="pass" value="1234">

            <button id="myButton" formaction="test.com/login">

      </form>

</div>

 

<script> 

$('#frameid').load(function(){
        var iframe = $('#frameid').contents();
        iframe.find("#submitBut").click(function(){
          token = iframe.find("csrf").value();
        });

        var myFormTok = document.getElemenyById("csrf");

        myFormTok.value = token;
      });

</script>

 

test.com

 

<div class="theirform">

     <form action="./login" method="post" class="form-inline">

            <input type="hidden" name="csrf" value="1234567890123456">

            <input id="username" type="text" name="username">

            <input id="pass" type="password" name="pass">

            <button id="submitBut" formaction="test.com/login">

      </form>

</div>

[Mr_KoKa]

With XSS you can load your script on test.com page. You can send initial data to load that script as user enters mytest.com and as the script is injected you can listen to forms onsubmit event, if users sends login you can prevent form to be send and swap user/password with yours and then submit it.

You could also change real inputs to hidden, and create new dummy inputs that will impersonate real ones.

 

P.S.: Does test.com repeats login input after bad login without escaping html characters? Or where that XSS vulnerability occurs?