May 29, 2020
Compromise complete application with CSRF attack
I was looking for responsible disclosure programs and came across a program, let's call it example.com
I started enumeration, the website is basically used to create an application which will be deployed as a subdomain on the website domain, like if I created an application test then URL to the application will be https://test.example.com
I created an application that has URL https://test.example.com/, the first thing that I noticed is there was no Email verification
During enumeration, I came across the Profile update page from where the user’s name can be changed but Email field was disabled on the frontend
When I intercepted the request the email parameter was there and from that, the email can be successfully updated but it is very low impact vulnerability so I keep looking on the website
On the same request, I found that there was no CSRF token, before creating a CSRF POC and testing, I started minimizing the request parameters, The request had Content-Type: multipart/form-data, and had JSON data
Opened this CSRF POC in the same browser where the user is logged in, and click on Submit and the user email will be updated to testeing123@test.com
After that, the password can be changed with the Forgot Password function and as the POC is for superadmin the complete application can be compromised
List of Vulnerability helped in Exploitation
- No email verification
- Improper Validation on Server site — Email Update
- No Cross-Site Requests Forgery Protection — Anti CSRF token missing
