How it works...
For this recipe, we first identified a request that we wanted to exploit but was adequately protected with a unique token. We also identified that the same domain (or application) is vulnerable to XSS in other pages.
By exploiting the XSS vulnerability, we were able to include script code hosted outside the target domain and use it to first extract the token and then to forge a request that included legitimate anti-CSRF protection.
The script code we used works using JavaScript to send a request to the page we wanted to exploit. Once the response is received from the server (if(xmlhttp.readyState==4 && xmlhttp.status == 200 )), it is processed and the token is extracted (var token=responseDoc.getElementById('token').value; ...
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.
Read now
Unlock full access