Giters

Sybelle03 / CVE-2021-43617

This is a reproduction of PHP Laravel 8.70.1 - Cross Site Scripting (XSS) to Cross Site Request Forgery (CSRF) vulnerability

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

CVE-2021-43617

This is a reproduction of PHP Laravel 8.70.1 - Cross Site Scripting (XSS) to Cross Site Request Forgery (CSRF) vulnerability

Description

The vulnerability exploits the fact that we can bypass laravel image file upload functionality to upload arbitary files on the web server which let us run arbitary javascript and bypass the csrf token

Steps to reproduce:

  • Creation of a Laravel 8.7.* application displaying an upload image file form
  • Creation of a html file csrfbypass.html which contains the exploit to bypass form csrf token.
  • Use of HxD tool to add FF D8 FF E0 at the very begining of the file (giving the csrfbypass_util.html file)
  • Upload this one on the application and try to display it. The csrf token is displayed in the alert(javascript)

About

This is a reproduction of PHP Laravel 8.70.1 - Cross Site Scripting (XSS) to Cross Site Request Forgery (CSRF) vulnerability

Languages

Language:PHP 79.3%Language:Blade 18.2%Language:HTML 1.4%Language:Dockerfile 0.6%Language:JavaScript 0.5%