SameSite Lax Bypass through Method Override | 2023
2023-2-11 03:43:52 Author: infosecwriteups.com(查看原文) 阅读量:26 收藏

Portswigger’s CSRF lab Simple Solution | Karthikeyan Nagaraj

Lab Description:

  • This lab’s change email function is vulnerable to CSRF. To solve the lab, perform a CSRF attack that changes the victim’s email address.
  • You should use the provided exploit server to host your attack.
  • You can log in to your own account using the following credentials: wiener:peter

Note

The default SameSite restrictions differ between browsers. As the victim uses Chrome, we recommend using Chrome (or Burp’s built-in Chromium browser) to test your exploit.

Analysis:

  1. Go to My-Account and Log In to the account with the above credentials and change your email address.
  2. Send the POST /my-account/change-email request to Burp Repeater.

3. Study the POST /my-account/change-email request and notice that this doesn't contain any unpredictable tokens so may be vulnerable to CSRF if you can bypass the SameSite cookie restrictions.

4. Look at the response to your POST /login request. Notice that the website doesn't explicitly specify any SameSite restrictions when setting session cookies. As a result, the browser will use the default Lax restriction level.

5. Recognize that this means the session cookie will be sent in cross-site GET requests, as long as they involve top-level navigation.

6. In Burp Repeater, right-click on the request and select Change request method. Burp automatically generates an equivalent GET request.

7. Send the request. Observe that the endpoint only allows POST requests.

8. Try overriding the method by adding the _method parameter to the query string:

/my-account/change-email?email=foo%40web-security-academy.net&_method=POST

9. Send the request. Observe that this has been accepted by the server.

10. In the browser, go to the exploit server.

11. In the Body section, create an HTML/JavaScript payload that induces the viewer’s browser to issue the malicious GET request. Remember that this must cause top-level navigation in order for the session cookie to be included. The following is one possible approach:

<script> document.location = "https://YOUR-LAB-ID.web-security-academy.net/my-account/[email protected]&_method=POST"; </script>

12. Store and view the exploit yourself. Confirm that this has successfully changed your email address on the target site.

13. Deliver the exploit to the victim to solve the lab

Feel Free to Ask Queries via LinkedIn and to Buy me Coffee : )

Thank you for Reading!!

Happy Hunting ~

Author: Karthikeyan Nagaraj ~ Cyberw1ng

文章来源: https://infosecwriteups.com/samesite-lax-bypass-through-method-override-2023-46fa30535410?source=rss----7b722bfd1b8d--bug_bounty
如有侵权请联系:admin#unsafe.sh