Feb 10, 2019 · 3 min read

Csrf Bypass Using Cross Frame Scripting

Hello Everyone!! Mr.Hacker here, in this article I am going to show how I bypassed csrf using cross frame scripting in a public program on HackerOne.

So directly cutting to the point, there is a module in the web application to send messages to users as shown below.

Image for post
Image for post
Send Message Form

Initially i tested for csrf vulnerability on this module but it was completely mitigated and there was a token in the post request which was validated by the server, hence csrf was not possible. But later i noticed that after generating csrf poc in burp and removing the csrf token and executing it, the server would respond back with the same form values and new csrf token set in the new message form as the response.

So now if i click on “Post Message” then the request would be sent to the server with the form values already being set by the server and request would get successfully executed. Later i came up to chain cross frame scripting and csrf as the entire web application was vulnerable to cross frame scripting.

Image for post
Image for post
CSRF File In Clickjacking
Image for post
Image for post
Chaining CrossFrameScripting and CSRF

Attack Scenario :

  1. The attacker will generate a valid csrf poc with burp with form values and removing csrf token.
  2. Now if we execute the csrf poc server will respond with all form values pre set in the response and also with a valid token, Hence an attacker will include the csrf file inside clickjacking file.
  3. So when the victim clicks on the malicious url sent by attacker, the clickjacking file will load the csrf file and inturn it would auto submit the form with the respective values and later server will send a response with the same form values set and also with the valid csrf token. Hence now the response is loaded using clickjacking and when the user clicks on Post Message it would generate a valid request and it will be executed successfully.

Later i submitted this vulnerability and got a bounty reward, the reason behind the article was to understand that no vulnerability is low if we try to chain it with few other it can also give a high impact issues. Mostly people avoid submitting cross frame scripting or other low impact vulnerabilities as they are out of scope but if we can use it in a unique way then low hanging fruits can also give us a great impact with few other vulnerabilities.

You can see the video Poc Here.

That’s it, i hope you enjoyed this article and Happy Hacking!.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch

Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore

Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store