CryptoGen Nepal
Published in

CryptoGen Nepal

R-XSS Leading CSRF Bypass To Account Takeover

Aug 14, I was testing one web application and going through error parameters and then found a Reflected XSS.

http://Redact/Redact.EXT?errorMsg=<Vulnerable End-point>

I did not think to find an R-XSS was the kind of critical vulnerability I was looking for. Next, I was going to go for CSRF but the site had CSRF protection so that was not possible. Continuing my search, I stumbled upon a page where you could change passwords but there was no “Old Password” field. Due to the CSRF protection, an attacker could not remotely change to a new password. Then I had an idea and started working on a script.

This script was created to steal the CSRF Token value from the web application. Using AJAX, the CSRF Token was sent to process.php, write stolen token in write.php finally then redirect it to csrf.php

When the target was redirected to csrf.php, the form used to get auto-submitted. The form contained CSRF token from write.php. After the target clicked on the R-XSS link, it stole the CSRF token and simultaneously changed the password.

Using the R-XSS vulnerability and couple line of JS and PHP I was able to steal the CSRF token and change the password of the victim.

The initial script was very long because I was in a rush but this short final version can also be used to recreate this POC.


Thank you for reading this article…
Happy Hacking :)




CryptoGen Nepal consists of professional team members who are devoted to providing professional-grade cyber security solutions such as IS audit, VAPT, End-Point Threat Analysis, Forensics & Malware Analysis, Incident Response, Server Assessment, and Hardening.

Recommended from Medium

The hacks that left us exposed in 2017

{UPDATE} Obliteracy Hack Free Resources Generator

Deobfuscating Caesar+

Maintenance: Closing the Loop on “Open-Source”

EmailTezos — Security Overview

{UPDATE} Push The Squares Hack Free Resources Generator

Driver — Hackthebox Walkthrough

Elixir’s best practices: Achieve secure authentication

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Nirmal Dahal

Nirmal Dahal

C|EH Master | CNSS | NSE | CCNA Cyber Ops | CPISI | CSFPC

More from Medium

XSS Vulnerability Part 2

CouchDB, Erlang and cookies — RCE on default settings

Bypassing SSRF Protection to Exfiltrate AWS Metadata from LarkSuite