# Week 29 - XSS to CSRF

## Chaining XSS with CSRF

Did you know that you can use XSS to perform a Cross Site Request Forgery (CSRF) attack, even if you’re using CSRF tokens correctly (assuming cookie-based authentication is in place here)!

You might be thinking this is impossible, but it all comes down to Cross-Origin-Resource-Sharing (CORS). If you remember my week 3 post, CORS determines what domains are specifically allowed to read files from the server. If you are an allowed origin, you can retrieve the page's HTML source code. If you are not, then you are blocked.

Keeping this in mind, a Cross Site Scripting (XSS) attack allows us to execute JavaScript code within the same origin as the target site. So an XSS on vulnerable\[.]com/page\[.]php would execute from the allowed origin of vulnerable\[.]com

Chaining this all together, we can create an XSS payload to send a request to the page containing the CSRF token, pull the token from the source code response, then use the token in a new request to takeover the account. See the image for the JavaScript code on how this is done

![SRC: https://portswigger.net/web-security/cross-site-scripting/exploiting/lab-perform-csrf](/files/eYtgEX49iFLgFiBR3Mt1)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.webhackingtips.com/weekly-tips/week-29-xss-to-csrf.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.