Brute Forcing User IDS via CSRF To Delete all Users with CSRF attack.
While testing an application, there was a module “Delete User” in which an admin can delete any user.
If you notice in the request, there is no CSRF Token/Protection implemented into delete user request.
This was very easy CSRF that an attacker can send the form to admin and can delete the user from an application.
Simple CSRF PoC to Delete User
But again if you notice that request contains the user id. My challenge was to figure out that if an application user ids at any endpoints but I found that there was no user ID leakage.
As it was 5 digits numeric ID, It was easy to brute force,
From the research I got the blog post in which an attacker has brute-forced the IDs with the help of clickjacking.
Client-side CSRF Token Brute Forcing
While playing around with some CSRF examples the idea of client-side CSRF token brute-forcing came into my head. I'd…
- Now Challenge is that an application was using X-Frame Options Header so I was not able to load an application into the frame to brute force the IDS.
- I tried with XMLHttpRequest, But again an application was validating the ORIGIN so, in this case, XHR dint work for me.
Then I tried by throwing requests into iframe target.
In this case, I was not able to view the response as the response had X-Frame-Option Header which application was validating. But I was able to send the request
So I made a CSRF Script which brute forces the USER IDS and deletes all the existing Users with CSRF from an application
And When I sent this PoC to the victim (admin), I was able to delete all Existing users from an application.
Thanks, guys for reading.
Have a great day ahead.