InfoSec Write-ups – Medium–
WebGoat CSRF 7
This lesson is very similar to the two previous ones, but this time the payload to be sent must be in JSON format, let’s see how this can be achieved
By filling the lesson form with the given values, the HTTP request gets populated with the inputted values in JSON format and the feedback tells us that the solution is not correct, as expected
Let’s go ahead and just copy the form on the page to a new html file, here you can find the form cleaned of all unnecessary divs with an added hidden field for testing
https://medium.com/media/da1d0adba42d0c14973ac5d61689f871/href
Let’s fill the form and see what happens
The request did not work, WebGoat replies with status code 500, let’s see what Burp History shows
The request here is not what WebGoat expects at all, it is a plain POST form submit and it is never going to work here
WebGoat lesson page suggestion to go read http://pentestmonkey.net/blog/csrf-xml-post-request is of utmost importance, here PentestMonkey explains clearly how to forge an HTTP request of the needed format starting from an HTML file and a simple form, that is, basically, what I was trying to achieve here
In case of more help there is https://github.com/WebGoat/WebGoat/wiki/Main-Exploits this page from WebGoat GitHub as well with the correct payload and some more explanation
After reading and studying, a new HTML file is in order to forge the correct request
https://medium.com/media/19c235e57bd1acdfb614c244ab1a8edb/href
First: the form enctype=”text/plain” forces the browser to create a request without encoding the data content from the client
Second: in order to create a valid JSON payload, the request has to have the content available on the lesson page, and that text has the following characters in order to forge a JSON payload
" : { }
Luckily for us HTML tag attributes delimiters can be ‘ or “ as long as the same type of quotes are used as opening and closing characters, so the two form attributes
name='{"name": "WebGoat", "email": "webgoat@webgoat.org", "content": "WebGoat is the best!!", "ignoreme":"'
value='sdfsdfdf"}'
are valid HTML attributes allowing us to put a JSON formatted data body in the request
Let’s submit the form leveraging on both these aspects
WebGoat replies with this JSON message containing the flag
And on Burp we can see the forged request in the correct JSON format with the added “ignoreme” attribute
Input the flag in the lesson page to complete it
WebGoat CSRF 8
Let’s create a form starting from WebGoat login page structure
https://medium.com/media/485bc73949fc825337163969fc93e31a/href
The first one is a simpler version with just the essential components, the second one has some modification to make it auto submit and show a blank page
Upload it on WebWolf and open it on a new tab
Then switch to the lesson page and click on the “Solved!” button to complete the lesson
You are now logged in as the csrf-<your_username> user, reload any WebGoat page and check your user on the top right menu to check that a new login has happened
This concludes WebGoat CSRF 7 8
I hope you liked it.
PVXs — https://twitter.com/pivixih
WebGoat CSRF 7 8 was originally published in InfoSec Write-ups on Medium, where people are continuing the conversation by highlighting and responding to this story.
Hacker's Directory 