How I found it was possible for attacker to permanently modify the sensitive account details of the victim account because of Cross site request forgery(CSRF) vulnerability

Hello guys, I am UJJWAL GAUTAM from Nepal. This write up is about the CSRF vulnerability that I found on an Indian website,for now, we will say redacted.com because the issue has not been resolved yet.

• What is CSRF?

Cross-site request forgery (also known as CSRF) is a web security vulnerability that allows an attacker to induce users to perform actions that they do not intend to perform.

• What is the impact of CSRF?

In a successful CSRF attack, the attacker causes the victim user to carry out an action unintentionally. For example, the email address of the victim account might be changed leading to account takeover, password of the victim account might be changed leading to permanent lock out of user, sensitive account details might be modified and so on.

Recently I saw on Linkedin that someone found CSRF leading to account deactivation.

CSRF leading to account deactivation found by another researcher

After looking at this post, I thought of hunting for CSRF on some live website. I was not targeting for bug bounty program but instead my target was Vulnerability Disclosure Programs(VDP). I tried to search for CSRF in the website of different companies but I did not find any. All of them had good defense against CSRF attacks. They had implemented dynamic CSRF tokens.

• I tried to remove the value of the CSRF token parameter and then execute CSRF attack but failed.
• I tried to change the request method from POST to Get, failed.
• I tried to remove the CSRF token parameter, failed.
• I tried to change the value of CSRF token keeping the length same, failed.
• I refreshed the attackers account and tried to add the attacker’s token value in the CSRF token parameter in CSRF POC, failed.

Then,

I remembered someone’s post where he had posted a letter of appreciation for finding some vulnerability in that Indian company website few months before. At that time, I had visited that website to see if I could find some Stored XSS but I did not find any back then. So it was in my memory. I decide to test the website of that company. So, i typed that company name in google search and clicked on the first result which was redacted.com. I registered and created an account. My target was to find CSRF. I was not looking for anything else in any of the websites that day. I went to redacted.com/edit-profile, changed the value of different field and captured the resulting request in burp suit professional trial version.

Attacker’s Account

In the intercepted request window, I was so happy to find that there was no parameters such as CSRF token, xsrf, verfiycode, etc.

So I sent the request to the repeater.

• Clicked on Action>Engagement tools>Generater CSRF POC
• Copied the Html source code pasted in notepad
• I changed the value for parameters Name, Mobile Number, College/Company Name as well as Biography in the CSRF POC.
• save the notepad file in .html extension

CSRF POC

The CSRF POC had been generated from the attacker’s account. I logged out of attacker account and logged in to the victim account.

Victim’s Account

I opened the html file,and submitted the request.

Open html file in the browser where victim is previously authenticated.

Then the account details of the victim account was succesfully modified as there was no validation in the server side where the request was coming from and no tokens were implemented against CSRF attack. The CSRF attack was successfully executed.

Victim’s account details was modified.

The Name field of the account was non-editable so the victim would not be able to change back his name in his account. Therefore his account name was permanently modified.

========================================

• How did I get the burp suit profession trial version?

Thanks to Islington College. I requested for trial version through my college email which is collegeID@islingtoncollege.edu.np (as Portswigger company only sends trial version to the business email).

========================================

• Alternative to generate CSRF POC if you do not have Burp Suite Professional version

========================================

• Go to your terminal and clone this github ripo in your computer

merttasci/csrf-poc-generator

• Use these commands

git clone https://github.com/merttasci/csrf-poc-generator.git

cd csrf-poc-generator

ls

ifconfig

python -m SimpleHTTPServer 8081 (OR)

python -m http.server 8081 (Depends on your python version)

CSRF POC generator

If you want to connect on Facebook→ UJJWAL GAUTAM :)

Thanks to Binit Ghimire for Proof Reading.