Page 116 - Hands-On Bug Hunting for Penetration Testers
P. 116

CSRF and Insecure Session Authentication                                    Chapter 6

            In this case, we're just instantiating the HTML document as a single closed IUNM tag. To
            insert a child element, we use this code:
                IUNM@UBH   DPOUFOU GJOE  IUNM
                GPSN@UBH   DPOUFOU OFX@UBH  GPSN
                IUNM@UBH BQQFOE GPSN@UBH

            Following each line of the script, we grab a reference to that root IUNM element, create a
            new tag for the GPSN that will be our CSRF PoC, then append that form tag as a child
            element to its IUNM parent.

            Using the module this way illustrates its advantages over plain string manipulationbwe
            don't have to constantly break up and nest successive elements and the BQQFOE   syntax
            also makes it easier to loop through and nest multiple children (which will come in handy).

            With that structure in mind, we need to build the markup for the last (and most important)
            part of the PoCbthe form fields. We'll leverage the fact that we can nest multiple children
            in a loop and that we have our form field data stored in an enumerable:
                GPS GJFME JO GJFMET
                    GJFME@UBH   DPOUFOU OFX@UBH  JOQVU
                    GPSN@UBH BQQFOE GJFME@UBH
            This code gives us the right number of input, but of course we still need logic to add UZQF,
            OBNF, and other attributes. Note that, since we don't need to latter retrieve the variable
            references for the tags we're creating, we can go ahead and overwrite them with each
            iteration:

                GPS GJFME JO GJFMET
                    GJFME@UBH   DPOUFOU OFX@UBH  JOQVU   UZQF GJFME< UZQF >
                    GJFME@UBH< OBNF >   GJFME< OBNF >
                    GPSN@UBH BQQFOE GJFME@UBH
            You might be wondering: why not just add another argument to the OFX@UBH   call in
            order to address the input's OBNF and UZQF in a single line?

            The GJFME@UBH< OBNF >   GJFME< OBNF > line is an admittedly inelegant solution to
            the fact that OBNF is a reserved keyword in Beautiful Soup. That means we need to use a
            part of the API that lets us define the attribute using a string, which this method does. Our
            final addition to complete the basic structure of the form is a submit JOQVU field. We can
            achieve that in two lines:
                TVCNJU@UBH   DPOUFOU OFX@UBH  JOQVU   UZQF  TVCNJU   WBMVF  TVCNJU
                GPSN@UBH BQQFOE TVCNJU@UBH



                                                    [ 101 ]
   111   112   113   114   115   116   117   118   119   120   121