Bruteforce user IDs via CSRF to delete all the users with CSRF attack

medium.com · devanshbatham/Awesome-Bugbounty-Writeups · 20 hours ago · bug-bounty
quality 5/10 · average
0 net
AI Summary

Researcher discovered a CSRF vulnerability in a user deletion module lacking CSRF tokens, combined with numeric user ID brute-forcing to delete all application users. The attack bypassed X-Frame-Options and origin validation by using iframe-targeted requests.

Tags
csrf brute-force user-enumeration privilege-escalation missing-csrf-protection x-frame-options-bypass iframe-exploitation admin-panel bug-bounty
Entities
Armaan Pathan HackerOne Bugcrowd OWASP
Brute Forcing User IDS via CSRF To Delete all Users with CSRF attack. | by Armaan Pathan - Freedium Milestone: 20GB Reached We’ve reached 20GB of stored data — thank you for helping us grow! Patreon Ko-fi Liberapay Close < Go to the original Brute Forcing User IDS via CSRF To Delete all Users with CSRF attack. While testing an application, there was a module "Delete User" in which an admin can delete any user. Armaan Pathan Follow ~2 min read · March 12, 2019 (Updated: December 8, 2021) · Free: Yes If you notice in the request, there is no CSRF Token/Protection implemented into delete user request. This was very easy CSRF that an attacker can send the form to admin and can delete the user from an application. Simple CSRF PoC to Delete User But again if you notice that request contains the user id. My challenge was to figure out that if an application user ids at any endpoints but I found that there was no user ID leakage. As it was 5 digits numeric ID, It was easy to brute force, From the research I got the blog post in which an attacker has brute-forced the IDs with the help of clickjacking. Client-side CSRF Token Brute Forcing While playing around with some CSRF examples the idea of client-side CSRF token brute-forcing came into my head. I'd… pwndizzle.blogspot.in Now Challenge is that an application was using X-Frame Options Header so I was not able to load an application into the frame to brute force the IDS. I tried with XMLHttpRequest, But again an application was validating the ORIGIN so, in this case, XHR dint work for me. Then I tried by throwing requests into iframe target. In this case, I was not able to view the response as the response had X-Frame-Option Header which application was validating. But I was able to send the request So I made a CSRF Script which brute forces the USER IDS and deletes all the existing Users with CSRF from an application And When I sent this PoC to the victim (admin), I was able to delete all Existing users from an application. Thanks, guys for reading. Have a great day ahead. #security #hackerone #bug-bounty #bugcrowd #owasp Reporting a Problem Sometimes we have problems displaying some Medium posts. If you have a problem that some images aren't loading - try using VPN. Probably you have problem with access to Medium CDN (or fucking Cloudflare's bot detection algorithms are blocking you).
← Back to stories