Stored Cross Site Scripting (XSS) via Cross Site Request Forgery (CSRF)

Hello Guys, Welcome to my another blog.

This time, I’m bringing up a vulnerability I just discovered through a private bug bounty programme. It’s called Stored Cross Site Scripting (XSS) via Cross Site Request Forgery (CSRF).

Introduction

In the world of web application security, vulnerabilities are a constant concern. Cross-Site Request Forgery (CSRF) and Stored Cross-Site Scripting (XSS) are two of the most prevalent and harmful vulnerabilities. When these flaws come together, the security and integrity of online applications are considerably more at risk. In this blog article, we’ll examine the ideas of stored XSS and CSRF separately before delving into the dangers. In order to comprehend these vulnerabilities, we must first understand both of them.

Understanding Stored Cross-Site Scripting (XSS):

A vulnerability known as stored XSS enables an attacker to insert malicious code into a website or online application. Stored XSS happens when malicious code is persistently stored on the target server and presented to subsequent users when they view the affected page, Reflected XSS happens when the malicious code is contained in the URL or a request parameter and immediately executed, This makes it particularly dangerous as the code is injected into many users, increasing the potential for harm.

Overview of Cross-Site Request Forgery (CSRF):

CSRF is another security vulnerability that exploits the trust between a user and a website. In a CSRF attack, a victim is tricked into unintentionally taking an undesirable action on a reliable website. The reason for this is that without the victim’s knowledge or approval, their browser sends valid, authenticated queries to the target website. CSRF attacks can lead to various malicious actions, such as changing passwords, performing unauthorized transactions or modifying user settings.

Now let’s combine these vulnerabilities:

When stored XSS and CSRF are combined, the consequences are even more serious. Through CSRF an attacker can manipulate user activities and take unwanted actions on their behalf. These operations may include bypassing any input validation or output encoding safeguards and introducing malicious scripts using a stored XSS vulnerability. Unknowing users can consequently run dangerous scripts, compromise sensitive data, or become victims of identity theft.

Vulnerability Practical:

I discovered a vulnerability in the username parameter. Application allows users to update their profile information, including their username. The application fails to properly sanitize user input and is vulnerable to XSS. Furthermore, it lacks CSRF protection.

The following four steps can effectively exploit the vulnerability:

Step 1: Identify parameter that is vulnerable to Cross Site Scripting and Cross Site Request Forgery. You can easily identify CSRF vulnerable parameter using firefox extension called CSRF Checker.

Step 2: Generate a CSRF poc of the captured request by injecting the XSS payload into the vulnerable parameter by capturing the request using Burp Suite. Save this poc in .html file.

Step 3: Send this file to victim.

Step 4: Whenever the victim opens this file in the browser, the payload is successfully executed on the victim’s account on the application.

POC:

- Vulnerable parameter of XSS and CSRF.

- Captured request in burp suite for generating CSRF poc.

- Generating poc by adding XSS payload.

- Copy the text and save into file with .html extension.

- The victim opens the file in a browser, the payload is executed.

Thanks, For reading. I hope you get something new.