Account Takeover Using CSRF(json-based)

shub rathore
Jul 4 · 3 min read

Hello Everyone I’m sil3nt_4unt3r. I am bug hunter on hackerone and bugcrowd. This is my first blog, so forgive my mistakes

INFO:-

  1. Admin = full privileges

2. H-User = Some Privileges

3. L-User = Low Privileges

4. Guest = Very-Low Privileges

5. Program-Name = Redacted.com

6. The sites use json to transform data

I was hunting on Bugcrowd private program. The program has 4 different kinds of roles Like Admin, H-User, L-User, and Guest. First I log in with the admin account and start testing every functionality. I noticed that whenever I change any info on the sites they make an API request to the server example https://redacted.com/api/*. while testing functionality, I came on an account setting location and started fuzzing, this time I noticed that the sites have no additional CSRF protection on the API endpoint. they use API key as protection. interesting.

API request

To perform CSRF now I need other user API key. but I have one endpoint which uses for sharing file image and for chatting https://redacted.com/office/[unique-Key]/story. I uploaded a file and shared it with everyone now I switched the account to L-User. after login, I see a notification in my sidebar I open it and see (admin send) document. Now I started my burp listeners and refreshed the page. I knew I can find leak on these locations (https://redacted.com/api/id/storypost/* )so I set burp filter (story*) and after analyzing some request I find the endpoint /API/officename/[id]/storyPost/[L-user-office-id]/comments which leaks admin and other user data.after fuzzing more I found one more endpoint which leaks id, username, email, API key office key and lots of other details (BOOM..!)

Leak other user info

Now I have everything, time to made CSRF file. There is only Two methods to perform JSON based CSRF, first using flash method and the second is XMLHttpRequest. In this scenario, the server use PUT request to update data so we can not use the flash method. To perform XHR we need two things 1st CORS misconfiguration 2nd XSS, I already had stored XSS in this program. I make CSRF file and sent the link to the admin. after clicking the link their email, password, username, everything changed

Impact:-

I was able to change password, username, email, etc. of the admin or every user. main domain subdomains and all user are vulnerable to this bug

BugBountyTips:-

Always fuzz the (group) file share location or (group)chat endpoints. maybe you will find other users token username API key or any sensitive data. In my case, I found the major leak in https://redacted.com/api/story* this endpoint. where admin, H-user, L-user, and guest chat with each other work as a group or share notes or file.

I would like to thanks the company co-founder he is a very good man they help me a lot in that situation, where platform have not answer my questions. They did directly contact with me and clarify everything to me. Thank to you

Report submitted 9 May 2019

Report Trigger 16 May 2019

Rewarded bounty 1000$ on 27 May 2019

Bug Resolved 29 May 2019

    shub rathore

    Written by