xsrfify: XSRF Helper Script
Cross Site Request Forgery ([X|C]SRF) is one of those vulnerabilities many web applications suffer from. If you already know how XSRF works, I suggest you skip the next part and directly go to the explanation of xsrfify.rb, a script to automatically convert a POST request to an HTML page ready for XSRF.
The idea of XSRF is as simple as it is ingenious. Let me explain by example: Let’s say you have a web application which requires a login. A logged on user can also change his or her password, which is done by sending a simple POST (or even a GET) request to the application. The password change request could e.g. be done with this simple form:
Please enter your new password:<br /> <form method="POST" action="changepw.php"> <input id="pass" type="password" /> <input type="submit" value="Submit" /> </form>
The result is, whenever an unsuspecting user opens your website, a POST request to the password-changing PHP page is sent. But that’s not the important part. The important part is that your browser, whenever it sends a request to the site while you are still logged in to the application (e.g. in another tab in your browser), the login credentials will automatically be sent with the request. Because, hey, it’s just another POST request to the website we’re logged into, right?
This means that if you are logged into the application and I can convince you to open my (malicious) website, I can make you send a request to change your password. Without knowing any login details. Because it’s your browser sending the request, and you are already authenticated. The password example above is only one possible attack vector, of course. Just look for anything in the web application which changes something using only one request. There’s plenty of XSRF opportunities for doing something malicious.
./xsrfify -h Usage: ./xsrfify [options] -n, --newlines Use \n as line delimiter when parsing the POST request instead of \r\n -f, --full-page Print a full HTML page ready for XSRF instead of just the form -d, --delete-submit Automatically delete parameters with the name "submit" -h, --help Show this help
Beats writing the same old boring stuff over and over again. By the way: it works great for Cross Site Scripting only exploitable via POST, too. Just make sure that you encode your payload properly, as the script will not care about it. Just change stuff in the resulting HTML page accordingly, otherwise things may break (e.g., if you have double quotes in your payload).
It is available on github as of now: