[Owasp_mutillidae_2_project] Newbie question re javascript in Mutillidae CSRF hints

Chris Ducharme cgdjmrsp at gmail.com
Mon Aug 18 17:09:49 UTC 2014


Hi, I'm a recent compsci grad trying to learn about infosec and
pen-testing. I've been playing with Metasploitable and Mutillidae and I
have a question that's not about Mutillidae per se (though it is directly
related to one of the hints given); it's more of javascript/browser
question.

If this is not the appropriate place for such a question, I apologize, and
feel free to ignore the rest of this email.

On the Mutillidae add-to-blog page
(/mutillidae/index.php?page=add-to-your-blog.php) one of the CSRF hints
contains some code for an HTML form injection that includes the following
line:

<span onmouseover="try{var
lURL=document.location.href;document.getElementById(\'CSRF\').submit();document.location.href=lURL;}catch(e){alert(e.message);}">Hello
World</span>

I don't have very much javascript experience, but it's pretty clear that
this creates a bit of text that should do the following upon mouseover:

1. save the current URL
2. submit form 'CSRF'
3. return to the saved URL

but in practice it does something very strange. Instead of submitting the
form as a POST, it submits it as a GET, and so the form is not properly
submitted. If I remove the statement "document.location.href=lURL;", it
submits the form correctly (though obviously the browser then doesn't
return to the original page).

My guess is that this is some sort of same-origin policy policing on the
browser's part, but I really have no idea how it's happening or why. Any
ideas as to what's going on?

I'm using Mutillidae 2.1.19 on Kali; the browser is IceWeasel 24.7.0.

- Chris
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp_mutillidae_2_project/attachments/20140818/6b2dc178/attachment.html>


More information about the Owasp_mutillidae_2_project mailing list