Csrf Bypass Using Cross Frame Scripting

Hello Everyone!! Mr.Hacker here, in this article I am going to show how I bypassed csrf using cross frame scripting in a public program on HackerOne.

So directly cutting to the point, there is a module in the web application to send messages to users as shown below.

Send Message Form

Initially i tested for csrf vulnerability on this module but it was completely mitigated and there was a token in the post request which was validated by the server, hence csrf was not possible. But later i noticed that after generating csrf poc in burp and removing the csrf token and executing it, the server would respond back with the same form values and new csrf token set in the new message form as the response.

So now if i click on “Post Message” then the request would be sent to the server with the form values already being set by the server and request would get successfully executed. Later i came up to chain cross frame scripting and csrf as the entire web application was vulnerable to cross frame scripting.

CSRF File In Clickjacking
Chaining CrossFrameScripting and CSRF

Attack Scenario :

  1. The attacker will generate a valid csrf poc with burp with form values and removing csrf token.
  2. Now if we execute the csrf poc server will respond with all form values pre set in the response and also with a valid token, Hence an attacker will include the csrf file inside clickjacking file.
  3. So when the victim clicks on the malicious url sent by attacker, the clickjacking file will load the csrf file and inturn it would auto submit the form with the respective values and later server will send a response with the same form values set and also with the valid csrf token. Hence now the response is loaded using clickjacking and when the user clicks on Post Message it would generate a valid request and it will be executed successfully.

Later i submitted this vulnerability and got a bounty reward, the reason behind the article was to understand that no vulnerability is low if we try to chain it with few other it can also give a high impact issues. Mostly people avoid submitting cross frame scripting or other low impact vulnerabilities as they are out of scope but if we can use it in a unique way then low hanging fruits can also give us a great impact with few other vulnerabilities.

You can see the video Poc Here.

That’s it, i hope you enjoyed this article and Happy Hacking!.