Cloudfare XSS bypass + improper csrf token leads to account takeover of victim account
tl;dr
This is my recent finding in the collaboration with Mohit Sharma we both were doing a hunt on a private program which I won’t disclose due to some privacy concerns i dig up more and more websites by crawling all endpoints from js files, brute force the parameters in search of some juicy information I dig it more and more but it all goes in vain then I suddenly saw a path into dirsearch that was
htp://redacted.com/add-address
whenever I saw an input field I hunt for mainly XSS vulnerability I feed up payload to the input but again it goes in vain when I saw the Cloudflare firewall to prevent XSS
I tried to bypass the XSS firewall by making our own custom javascript payloads and again I feed up my payload to the input field and viola! an alert box pooped up on the website
anatomy of payload:
“><svg /on onload=alert(1)>
just adding “/on” beside on event handler bypassed the firewall
I was happy but then I realized it was just a self XSS nothing more then n/a … I was again disappointed and thought of giving up then Mohit told me to have looked for another vulnerability that makes the XSS more powerful and yes he was talking about CSRF he already told me that site is vulnerable to CSRF
basically talking about this domain CSRF token was present but due to misconfiguration or improper implementation of token it's not properly implemented if we send a request without token it won’t show any error or auth related problems
so, basically, the whole scenario we created was:
1. There was a self XSS on the website
2. There was a CSRF on too that further chained to xss
3. send a CSRF link to the victim to lure him for a discount/offer.etc.
4. when a user clicks on the link the stored xss got store in user’s profile and basically, we can take over the account because we are able to steal the session id of victim
that is poc of the victim account we can also integrate the js stealer script with ngrok or use xss.ht
Not, only session id we were able to deface the page since the javascript injection was stored on user’s page we can deface the user web page and also steal their tokens.
