Crazy CSRF (Cross Site Request Forgery) — How did I find it?

Hello guys, Hope all are doing good. I’m Abhisek,here a small write up on CSRF vulnerability I found in a Bug Bounty program. Don’t worry new people, Its beginner friendly.

Image for post
Image for post
Cross Site Request Forgery

Since I’m not supposed to disclose the site, Let’s take redacted[dot]com as our target. Okay, moving ahead.

First of all, What does Cross-Site Request Forgery (CSRF) mean? On simple words. It is kind of a one click attack, where a malicious request is submitted by the victim without his/her knowledge which may lead to occurrence of sensitive actions. If you like to learn more 😃 Follow the link ➡ CSRF

View the following screenshot, Try to predict yourself whats happening there?

Image for post
Image for post
Screeshot-1

There’s a request going with POST method (what is POST method?) for /dapi/suth/sms-otp endpoint. It contains body with JSON format (what is JSON format?)

In simple words JSON is Javascript Object Notation, which holds key and value pairs

The parameter“mobile” holds the user mobile number as its value and “_csrf” holds the CSRF token. 🤔 Token?

A CSRF token is a random, hard-to-guess string. On a page with a form you want to protect, the server would generate a random string, the CSRF token and add it to the form.

Remember, CSRF token generation and usability differs from every application on how it is built. The main motive for forcing a CSRF token is to avoid unacknowledged requests sent from victim by the Attacker.

NOTE: A CSRF token must be unique and random for every user. It is required to validate CSRF token at every sensitive action to avoid malicious requests. In some applications, developers forget to validate CSRF token and which may lead to sensitive actions on victims account without his/her knowledge

BUG BOUNTY CHALLENGE: To find a token of victim or Find a location where CSRF validation is missing or Some out of the box ideas!

On the redacted site, I found a way to capture victims token through a proxy (Burp Suite — Google it for more info) When a user requests for password reset link, there a unique _csrf token sent for the user which was a valid token for that particular user in all location through out the application.

Method to exploit: Enter phone number or email of the victim and capture the CSRF token. For further sensitive requests such as email change use the token captured.

Image for post
Image for post
Its so easy — MEME

There’s another Challenge on this bug, As I mentioned the request body is in JSON format which is a different format from normal form body.

JSON vs Form data

I leave this part for you people, Use the Monster GOOGLE to find the way to complete this exploitation part. Find the conditions that need to be satisfied for a successful attack.

Bye guys, I will reach you out in another write up. If you want to text me or follow me. Please reach out at twitter and instagram

Cyber Security Researcher, Love your passion HACKING :)

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store