My first bug in google and how i got CSRF token for victim account rather than bypass it ($1337)!

Greetings,

Today i will share my first bug in google, Which is in “Books”. I was able to modify/delete bookshelf for victim account by get CSRF token rather than bypass it .

Let’s start ..

When sign in to your account on books.google.com,you will note that there is option to create bookshelf .

Firstly,i created bookshelf and then I captured request when delete it :

As you can see the sig sent as parameter .I tried different ways to bypass sig ,but unfortunately i couldn’t bypass it :( .

After deep search i found way to get CSRF_TOKEN for victim account rather than bypass :)

Steps :

1-Go to victim bookshelf and then you will find as below :

2-Press on Test :

3-When modify name or description and press save no thing happen ,because i am not authenticated user .

But let’s start check request :

The surprise was that there is sig parameter :))))

4- I created PoC with this sig parameter and then i send it to victim.

You need to create a PoC for each targeted victim :D