Hello everyone!
Hello everyone, in this blog post I would like to talk about the CSRF (Cross-site request forgery) vulnerability I discovered.
CSRF
Cross-Site Request Forgery (CSRF) is a critical web application vulnerability that takes advantage of a trusted relationship between a user’s browser and a web application. This attack forces an authenticated user to perform unintended actions, such as changing account details, transferring funds, or performing administrative tasks.
I found this vulnerability in a VDP program on Hackerone.
First I tried to find subdomains for target.com. For this I used tools like virustotal, securitytrails, crt.sh, archive.org, shodan and similar web addresses and tools like amass, subdomainator.
Then I saved these domains as hosts.txt and ran cat hosts.txt | httprobe | anew hosts2.txt and started checking the results one by one.
Sometimes this can take a while, but manually checking subdomains can sometimes help us find good vulnerabilities.
Then I found a sweepstakes site where users can sign up and register for the sweepstakes. I created 2 accounts: Attacker and Victim. I started to try some vulnerabilities xss, sql, password reset etc. I didn’t find much. Then there is an option to delete my account in the view profile section and when you click the delete my account button without any password verification, your account was deleted.
I requested to delete the profile from the Attacker account and there was no token like CSRF etc. I prepared a request similar to the one below:,
Then I prepared the request and clicked “submit request” for the victim browser.
And the account for the victim account was successfully deleted.
I quickly created a report and notified the team, but after a while they closed the report informatively stating that this subdomain was out of scope :)
Mitigation Techniques
CSRF Tokens:
Websites can generate unique, random tokens for each session or request. This token must be included in every request, making it difficult for an attacker to predict.
SameSite Cookies:
The SameSite attribute on cookies restricts their usage to first-party requests, preventing them from being sent with cross-site requests.
User Authentication Validation:
Require users to re-enter their credentials or use two-factor authentication for sensitive actions.
Referrer Header Validation:
Verify the Referer or Origin headers to ensure requests originate from trusted sources.
Similar reports:
Good reading for everyone, stay healthy.
