Brute Forcing User IDS via CSRF To Delete all Users with CSRF attack.

While testing an application, there was a module “Delete User” in which an admin can delete any user.

If you notice in the request, there is no CSRF Token/Protection implemented into delete user request.

This was very easy CSRF that an attacker can send the form to admin and can delete the user from an application.

Simple CSRF PoC to Delete User

But again if you notice that request contains the user id. My challenge was to figure out that if an application user ids at any endpoints but I found that there was no user ID leakage.

As it was 5 digits numeric ID, It was easy to brute force,

From the research I got the blog post in which an attacker has brute-forced the IDs with the help of clickjacking.

  • Now Challenge is that an application was using X-Frame Options Header so I was not able to load an application into the frame to brute force the IDS.
  • I tried with XMLHttpRequest, But again an application was validating the ORIGIN so, in this case, XHR dint work for me.

Then I tried by throwing requests into iframe target.

In this case, I was not able to view the response as the response had X-Frame-Option Header which application was validating. But I was able to send the request

So I made a CSRF Script which brute forces the USER IDS and deletes all the existing Users with CSRF from an application

And When I sent this PoC to the victim (admin), I was able to delete all Existing users from an application.

Thanks, guys for reading.
Have a great day ahead.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store