CSRF token stealing with XSS: JS for Pentesters task 17 write up
writeup for task-17 of the JS for pentesters series by security-tube - CSRF token stealing
JS for Pentesters task 17
Our objective is to Find John’s Email Address using an XSS vulnerability on that page and Display the Email address in the div with id “result”. A condition to follow is that No Hardcoded values can be used - everything has to be figured out dynamically. For the ease, the token and uid has been saved in the HTML file itself so that we can hard code it to break the challenge but the Author has specifically mentioned that everything has to be figured out dynamically ! Let us see how the payload looks like:
So what have we done here basically is that we took the uid and csrt_token dynamically from the HTML page so that even if the token or uid changes in the future, the payload still works. Then we added the parameters to the URL and used it with an XMLHttpRequest() and we got back the email address as response.
1) If you didn’t understand the payload properly, I strongly recommend you read the basics of XMLHttpRequest() first and then try again.
3) You have to URL encode the payload before the injection via the url parameter or else this will fail to work
We hope that you really liked this challenge. If there is anything you didn’t understand or wanted to get more clarity, please comment down and we are more than happy to help. Also, if you get a better way of solving the challenge, please share it with us and we are happy to learn from our readers too. Happy pentesting..