Week 29 - XSS to CSRF
Last updated
Last updated
Did you know that you can use XSS to perform a Cross Site Request Forgery (CSRF) attack, even if you’re using CSRF tokens correctly (assuming cookie-based authentication is in place here)!
You might be thinking this is impossible, but it all comes down to Cross-Origin-Resource-Sharing (CORS). If you remember my week 3 post, CORS determines what domains are specifically allowed to read files from the server. If you are an allowed origin, you can retrieve the page's HTML source code. If you are not, then you are blocked.
Keeping this in mind, a Cross Site Scripting (XSS) attack allows us to execute JavaScript code within the same origin as the target site. So an XSS on vulnerable[.]com/page[.]php would execute from the allowed origin of vulnerable[.]com
Chaining this all together, we can create an XSS payload to send a request to the page containing the CSRF token, pull the token from the source code response, then use the token in a new request to takeover the account. See the image for the JavaScript code on how this is done