CSRF bypass using flash file + 307 redirect method at plugins endpoint
Hello, Hunters. I know You are here because you are struggling or want to advance in your career. Believe me, things take time. Be consistent, continue to learn, and never deceive yourself. If you follow these three mantras, you will undoubtedly achieve success.
Description:
Cross-Site Request Forgery (CSRF) is an attack that forces authenticated users to submit a request to a Web application against which they are currently authenticated. CSRF attacks exploit the trust a Web application has in an authenticated user.
Example: Cross site request forgery (CSRF) is a vulnerability where an attacker performs actions while impersonating another user. For example, transferring funds to an attacker’s account, changing a victim’s email address, or they could even just redirect a pizza to an attacker’s address!
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
Let’s Read about Findings
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — I discovered that the request sent to https://my.xyz.email/cabinet/stripeapi/v1/plugin/$userid$/plugins has no protection against csrf attacks because the server only validates that the content type is application/json, which can be circumvented by using the flash file + 307 redirect method.
Steps To Reproduce:
- login to your account at https://my.xyz.email
- visit https://thehackerblog.com/crossdomain/
- use this link as php redirector https://testingsubdomain.000webhostapp.com/stripo.php
- in the request headers : Content-Type: application/json;charset=UTF-8
- the payload
code:
{“email”:”attacker@example.com”,”name”:”csrf poc”,”webUrl”:”csrf poc “}
Watch the network traffic from the network tab on the Devtools
and go back to and refresh the site you’ll find all the application data have created
all these steps would be integrated together and performed by the attacker’s server
Supporting Material/References:
https://blog.cm2.pw/forging-content-type-header-with-flash/
Impact
Attacker can send request to create an application in behalf of user.
Thank you for reading !! hope you get to learn some tricks.
Subscribe to the Shuttlertech YouTube channel for more of this type of content and to watch live POCs & To advance your career connect with me 1:1 over topmate .
I will ensure you that I will write more interesting and knowledge-sharing writeups, to encourage me to follow me on medium and click the clap icon.
Disclaimer: My write-up comes from my own achievements & Some time from different Learning platforms Do not use this methodology without concern for the company. I am just sharing this for learning purposes.
Connect with me For any doubt or guidance