Forum Discussion

joneill's avatar
joneill
Icon for Bronze II rankBronze II
4 days ago
Solved

Help with Cross Site Request Forgery (Twooter)

Hi folks, I'm having a hard time getting past the Cross Site Request Forgery lab - specifically I'm not sure what sort of payload I can use to obtain the username of the scraper. I can get their I...
challenges
help & support
immersive labs
  • barney's avatar
    barney
    3 days ago

    Oh OK.  You don't need to try and send anything back to your kali box - just craft a link that when clicked will send a message to the message board.

joneill's avatar
joneill
Icon for Bronze II rankBronze II
3 days ago

Hi Barney

Thanks for coming back to me. I really appreciate the steer but I'm still pretty stuck on what that sort of payload would look like. I just fed the existing html for the submit button back, but pointed to my server - I get connections back but they don't include the required data. Below is what I'm sending and seeing in response.

Check out this link <a href=http://10.102.124.10:5555> <input type="submit" name="submit"></a>



connect to [10.102.124.10] from (UNKNOWN) [10.102.82.247] 59456
GET / HTTP/1.1
Host: 10.102.124.10:5555
User-Agent: python-requests/2.25.1
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive

 

barney's avatar
barney
Icon for Bronze III rankBronze III
3 days ago

Oh OK.  You don't need to try and send anything back to your kali box - just craft a link that when clicked will send a message to the message board.

  • joneill's avatar
    joneill
    Icon for Bronze II rankBronze II
    3 days ago

    This seems so simple when you point it out. A great reminder of the importance of not over thinking things. Thanks so much for the help.