Reporting CSRF via Openbugbounty

Submit CSRF via OBB

The website is vulnerable to CSRF because there is no use of Anti-CSRF tokens in the website but the main focus of this post is how to submit a proper CSRF report via OBB because in the start OBB couldn't reproduce the CSRF reports and they all went to the rejected section in my case and in result making this post. Not only for bounty but you’ll get the idea what important things we should keep in our mind when making a detailed CSRF report. The below cheat sheet by @alexlauerman really helped me understand the different scenarios of CSRF. (Full post here)

To Alex

Vulnerability: CSRF/XSRF (Cross site request forgery)
Severity: Critical
Owasp rank: (OTG-SESS-005)

As per OBB our first required step is to create a proper XML report with 3 valid requests where first request will be the vulnerable POST request [below].

Vulnerable Request

Some researchers also submit the GET request of the vulnerable link which is useless because it will not show the vulnerable form in it. Only submit the POST one (request no 5106 here) and delete rest of the junk requests from HTTP history. Second step, before submitting the exploitation request take a screenshot of the victim’s profile page (in Chrome). Here we’ve to configure burpsuite with chrome too because we’re using two browsers with two different accounts to exploit the vulnerability. You might encounter certificate errors with chrome so just export it manually because http://burp doesn’t work in some cases.

For exploit right click on vulnerable request → Engagement tools → Generate CSRF PoC and save it as HTML [below] or you can manually write the exploit with takeover info.

Exploit

In chrome victim’s account should be open, in new tab open the exploit, submit the exploit and intercept the request and just forward it. Now you’ve second required request in your HTTP history (request no 5200 here)

Exploitation Request

Third request will be the page content on which the vulnerable form is so after exploitation just refresh or send GET request to the vulnerable page (request no 5202 here) and now we’ve three required request in history.

GET request/response with page request

Now take the screenshot of the victim’s profile page after successful exploitation. Go to burp and select all three request and give comment as per instruction and save the items in XML format. Fill up the required details like vulnerable link, screenshots, report, contact details in the submission form and yes, in comment section just write a steps to reproduce the vulnerability so that it becomes easy to check manually. Click on submit. Have a look at video PoC

4-Jan-2019 → Bug Reported

7-Jan-2019 → Bug accepted by OBB

Have a happy hunting