Write-ups
Khan Academy - Account takeover
Researcher discovered that an account with an unconfirmed email address can be taken over by triggering a CSRF on the /signup/email API endpoint.
The PoC exploit code below sends an HTTP POST request when the HTML is loaded in a web browser. When the Window loads it triggers the event listener on line 28 which forms and sends the HTTP POST request with the email attacker@rapidlight.io to the API endpoint https://www.khanacademy.org/signup/email. The withCredentials flag is set to true on the XMLHttpRequest object on line 32. This flag:
indicates whether or not cross-site
Access-Controlrequests should be made using credentials such as cookies, authorization headers or TLS client certificates.-Mozilla
Upon visiting the attacker controlled website which contains the code above, the victim's browser will send the HTTP POST request with the changed email to the api endpoint changing their user's legitimate email to the attacker controlled email address. Once the email address has been changed to the attacker controlled email address, a password reset with the new email allows for full account compromise.
Researcher provided PoC:
DoD - Account Deletion
Researcher discovered endpoint which contains a CSRF vulnerability that allows an attacker to delete a victims account. The endpoint <unknownDoDwebsite>/services/user/closeAccount does not have CSRF protections in place, getting a victim to open a website in the same browser with the code below will delete the victims user account.
Streamlabs - Remove User Donation Info
Researcher discovered that the endpoint to modify user donation settings does not properly implement CSRF mitigations.
Original HTTP POST request with X-CSRF and X-XSRF headers removed (as they were not validated server-side).
Response:
Visiting URL https://streamlabs.com/api/v6/viewer-portal/viewer-settings/donation_settings returns donation settings in JSON:
Using the exploit HTML code below and opening in a web browser deletes all user donation info:
Now that the donation info has been removed, validate it by visiting the donation_settings URL visited previously:
Researcher provided PoC:
Imgur - CSRF and Self-XSS
Researcher discovered combined self-XSS and CSRF attack that can be used to conduct a XSS attack on any user who visits a malicious website while logged into Imgur in the same browser.
The exploit HTML code creates a favorites folder with the XSS payload
Once the user visits the malicious website hosting the HTML code below, the code sends the request to Imgur to create a favorites folder for the authenticated user with the Self-XSS payload.
Express-Cart - Free Discounts
The Node.js Express-Cart module is a fully functional shopping cart. Researcher discovered admin endpoint that creates discounts does not have CSRF protections in place. The PoC HTML code below creates a 30% discount code that could be used throughout the application.
New Relic - New Role
Exploit CSRF HTML code creates a new role using HTTP POST request on endpoint https://user-management.service.newrelic.com/accounts/2260599/roles with the role name of CSRF_ROLE.
Visiting the roles page https://account.newrelic.com/accounts/<account_id>/roles shows the newly created role after exploit code executes in the victims browser .
Last updated
Was this helpful?