If we found that the application we are testing uses an anti-CSRF protection and is well-implemented, it is not the end. Maybe it is possible to defeat the anti-CSRF protection if we can use an XSS technique.
Let's do a little research about XSS attacks. The XSS attack sends a URL or POST request with the malicious payload to the user. So, if an application is vulnerable to CSRF but it has an anti-CSRF protection, when the application receives the XSS attacks, it will have the token or hash included as protection. So, the purpose is not injecting the code, but getting the token to use it in other requests.
This is the basic idea, but XSS could be exploited to bypass other types of protections. Here's a summary of how you can do it:
- A stored XSS could read all the tokens in an application. Why? Because a stored XSS is launched...
