Openredirection + clickjacking + csrf -> Account Takeover
Hola Hackers,
This writeup is about my first bug bounty in which the submission was duplicate, even though they rewarded me for chaining the bugs and reported it with an effective approach of a real-life attack scenario.
Let’s Start
First we will discuss about the bugs which I chained together.
Open Redirection
Open redirection vulnerabilities arise when an application incorporates user-controllable data into the target of a redirection in an unsafe way. An attacker can construct a URL within the application that causes a redirection to an arbitrary external domain.Clickjacking
Clickjacking is an interface-based attack in which a user is tricked into clicking on actionable content on a hidden website by clicking on some other content in a decoy websiteCSRF
Cross-site request forgery (also known as CSRF) is a web security vulnerability that allows an attacker to induce users to perform actions that they do not intend to perform. It allows an attacker to partly circumvent the same origin policy, which is designed to prevent different websites from interfering with each other.
source: https://portswigger.net/
Now we can go to the target website, we can call it example.com by respecting their privacy.
While browsing through the website using burp suite, I found some open-redirection vulnerabilities, pages vulnerable to clickjacking, page without csrf token and also some other related things.
Most of the vulnerabilities I found on the website were out of scope, so I tried again. The csrf vulnerable page was a password reset page, when I saw it first I thought I can exploit it directly but when I checked the required inputs it requires current password also. After some discussions, I found that if there is password confirmation, then we can’t exploit the csrf directly. So I tried to find other methods to exploit it.
I checked the login page which is vulnerable to clickjacking, and I already have some openredirection also. So I tried to chain it together to a real-life attack scenario.
The summary of the attack was that we redirected to the clickjacking vulnerable login page via openredirection and then the user enters their username and password, it directly passed to the password reset form using javascript which successfully changes the password of the victim to the attacker’s password.
Here we used example.com, we can use the original login page here and host it somewhere and redirect it through their own website.
source: https://github.com/shifa123/clickjackingpoc
And when the user enters the credentials, it is directly sent to the password reset form via javascript. We can use the csrf poc generated from burp suite while performing a password reset here and combining it with the page makes everything simple and the password reset will happen at one click after entering the credentials
Program flow:
If I left that csrf and clickjacking vulnerabilities when I saw it is out of scope and reported the openredirect only, will not make me satisfied.
So that thought helped me to do this.