Hello guys, Hope all are doing good. I’m Abhisek,here a small write up on CSRF vulnerability I found in a Bug Bounty program. Don’t worry new people, Its beginner friendly.
Since I’m not supposed to disclose the site, Let’s take redacted[dot]com as our target. Okay, moving ahead.
First of all, What does Cross-Site Request Forgery (CSRF) mean? On simple words. It is kind of a one click attack, where a malicious request is submitted by the victim without his/her knowledge which may lead to occurrence of sensitive actions. If you like to learn more 😃 Follow the link ➡ CSRF
View the following screenshot, Try to predict yourself whats happening there?
The parameter“mobile” holds the user mobile number as its value and “_csrf” holds the CSRF token. 🤔 Token?
A CSRF token is a random, hard-to-guess string. On a page with a form you want to protect, the server would generate a random string, the CSRF token and add it to the form.
Remember, CSRF token generation and usability differs from every application on how it is built. The main motive for forcing a CSRF token is to avoid unacknowledged requests sent from victim by the Attacker.
NOTE: A CSRF token must be unique and random for every user. It is required to validate CSRF token at every sensitive action to avoid malicious requests. In some applications, developers forget to validate CSRF token and which may lead to sensitive actions on victims account without his/her knowledge
BUG BOUNTY CHALLENGE: To find a token of victim or Find a location where CSRF validation is missing or Some out of the box ideas!
On the redacted site, I found a way to capture victims token through a proxy (Burp Suite — Google it for more info) When a user requests for password reset link, there a unique _csrf token sent for the user which was a valid token for that particular user in all location through out the application.
Method to exploit: Enter phone number or email of the victim and capture the CSRF token. For further sensitive requests such as email change use the token captured.
There’s another Challenge on this bug, As I mentioned the request body is in JSON format which is a different format from normal form body.
I leave this part for you people, Use the Monster GOOGLE to find the way to complete this exploitation part. Find the conditions that need to be satisfied for a successful attack.