Consider a response with Content-Type: application/json;charset=UTF-8 header and Content-Disposition: attachment;filename=text.txt header, with content-disp header appearing first , i am able to use the content-disp in my favor as a CSRF attack which make the file autodownload on the victim machine by including the URL as src in an iframe but if i am doing fetch i am blocked by CORB as the response does have application/json as content-type is there any way to smuggle the data i was able to download to a remote server
Asked
Active
Viewed 815 times
1 Answers
0
You may be able to trick the victim's browser into making the request and perhaps even downloading the response somewhere, but you cannot access the response in Javascript unless it has an Access-Control-Allow-Origin header that allows this.
The most you could do is measure the running time of the request and deduce something from that, using a mechanism like this:
var running, time = 0;
function tick(ts) {
if (running) time += ts;
requestAnimationFrame(tick);
}
function attack() {
requestAnimationFrame(tick);
document.querySelector('form').submit();
}<body onload="attack()">
<form action="https://cross.origin.resource" target="target"></form>
<iframe name="target" onload="if (running) alert(time); else running = true;"></iframe>
</body>
Heiko Theißen
- 12,807
- 2
- 7
- 31
-
What do u mean by downloading response elsewhere, it will downloaded only on the user machine right – patrick jason Jul 12 '22 at 06:07
-
is there any way to smuggle the downloaded data or create a stream and send to a remote server etc – patrick jason Jul 12 '22 at 06:08
-
Only to the user's machine. – Heiko Theißen Jul 12 '22 at 06:34