JSON CSRF attack on a Social Networking Site[Hackerone Platform]

Badoo.com on Hackerone Platform

Before describing the actual attack scenario let us first discuss what is CSRF attack ?

Basically lets consider Victim has an active session on a website and lets say victim has some details in his/her settings page on that website , so if no csrf token is implemented for the requests that go out from the settings page when someone tries to update the content in the settings page then an attacker can craft an html file or an image containing the details to be updated in the victim’s settings page using <form>, <input> etc in html , so as soon as the victim opens the image or the html file, the content in his/her settings page will get updated with the attackers’s content.

The two conditions that must be satisfied for this attack to be carried out is that first , there shouldn’t be any token going with the requests from that site , secondly the Victim should have an active session on that site.

So, one year back I was searching for bugs in this site m.badoo.com on hackerone platform, where i found this request https://m.badoo.com/api.phtml?SERVER_DELETE_ACCOUNT in burpsuite in which data was going in json format , as you can guess it was a request to delete the account of a registered user and similarly i got another one which was https://m.badoo.com/api.phtml?SERVER_RESET_TRUSTED_NETWORK , it was meant to delete all the contacts of a user on that site , so when i saw these requests i noticed that no csrf token was being sent alongwith these requests but the problem was that the data was sent in Json and i had to find a way to generate an HTML file for the CSRF POC , so I crafted two html files one for erasing imported contacts and another one for deleting account on m.badoo.com . But, as the content-type was json so parser introduced “=” at the end of content in header, so this became a problem for the attack to trigger but you can easily bypass such parameters by adding your own pair of values at the end like I added “ignore_me”:”’ value=’test”. The HTML code[Erasing Contacts] has been shown below :

<meta name="DNT" content="1">
<meta name="Connection" content="close">
<form action="https://m.badoo.com/api.phtml?SERVER_RESET_TRUSTED_NETWORK" method="POST" enctype="text/plain">
<input name='{"$gpb":"badoo.bma.BadooMessage","version":1,"message_type":327,"body":[],"is_background":false, "ignore_me":"' value='test"}' type="hidden">
<input type="submit">

The other thing i would like to mention here is that the entire json payload passed in the name parameter will not be accepted as content-type Json until we mention enctype=”text/plain” in the form action. So it was somehow a little bit different from a basic HTML form we generate for CSRF. The moral of this finding is that if request is going in JSON format just use encoding-type as text/plain and also bypass the “=” that is automatically appended at the end of the content in the request.Below is the Response in the Browser after the victim opened up the html code in his/her browser .

“Your contacts are being erased, this could take up to 5 minutes.”

Finally i Received 280$ bounty from badoo through hackerone for this bug.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store