My First CSRF to Account Takeover worth $750
Before I start. I want to take a moment to all who helped me learn Web Application Security and Bug Bounty Hunting! :)
Hello, Guys, the Program was a private Invite and I am still working with this program. So, for the sake of the privacy of the program, let us call it “example.com” in this writeup.
I got this invite around 6 months back. The Website has the functionality of making an order of using public transport ( e.g. Purchasing tickets, passes, storing user information like card details, home address, work address, etc.).
To test the CSRF, I created two accounts. One for the attacker and another for the Victim. Let us call it as “Attacker@gmail.com” and “email@example.com”.
Now, I filled in the details for both the account. And then I started making some changes into it like adding work address and making an order from the Attacker’s account. I Put the Burp Intercept ON and clicked on the “save” button. Here is the burp request which I captured.
Now, I generated the CSRF poc using the burp suite and saved it as an html page. And send it to the victim account who was logged in using the Chrome browser. I opened the HTML page in the new tab of the Chrome browser and refreshed the page where I was already logged in. And Boom….. The work address of the victim was changed to “bla….bla…bla” and a new order was made on behalf of the victim. As the card details were not added in both the accounts, the order was eligible for on-spot payment.
Now…I thought that if the attacker is able to make order on behlaf of the victim then he could probably also takeover the victim’s account. I said to let’s check it out.. :)
Now to take over the account, I went to the setting page of the attacker's account first and then gave a temporary email address from the temp-mail.ord and captured the request in Burp without any changes by re-saving the same information. Then I saved the CSRF POC and sent it to the victim. As soon as I opened the page in the victim’s browser the email of the account changed from “firstname.lastname@example.org” to the temp-mail one. Then I was like….
Finally, I made a nice report and submitted it to the program. The Company took almost 3 months to respond and closed the report by paying $750 in the next 1 month. Although it was less for the account takeover ;).
I thought of putting this writeup a million times but I am Lazy! Lol! :P
Thanks for being patient and reading this writeup. This is my first ever writeup. I hope you all like it and let me know if you want me to put anything else in my next writeup or any mistakes in this writeup.