{"id":341,"date":"2017-05-21T06:28:21","date_gmt":"2017-05-21T00:58:21","guid":{"rendered":"http:\/\/www.geekboy.ninja\/blog\/?p=341"},"modified":"2017-05-21T06:28:21","modified_gmt":"2017-05-21T00:58:21","slug":"turning-simple-login-csrf-to-account-takeover","status":"publish","type":"post","link":"http:\/\/www.geekboy.ninja\/blog\/turning-simple-login-csrf-to-account-takeover\/","title":{"rendered":"Turning Simple Login CSRF to Account Takeover"},"content":{"rendered":"

Hey all \ud83d\ude42<\/p>\n

So today I decided to write a new post from one of my recent simple interesting find with a much higher impact, and this is more like a case study than a technical one.<\/p>\n

so there is an application which has\u00a02 ways to access your account<\/strong> which are as follows:<\/p>\n

    \n
  1. Using email + password<\/li>\n
  2. Using social account<\/li>\n<\/ol>\n

    using both ways a user can access their account as users have explicit option<\/strong> to add social account like Facebook, Google<\/strong> in his account and once user added it, they can use any of way to access the account, and after realizing that I\u00a0thought what if i get way to add my social account to the victim? that will be easier to way to get victim account access directly.<\/p>\n

    i checked both endpoints for the login flow of the social login (Facebook) option and it was same.<\/p>\n

    For Facebook login oauth flaw they were not using “state<\/a><\/strong>” parameter which used to protect against CSRF attack<\/strong>, so even while adding social account from applications users setting same flawed oauth implementation is used.<\/p>\n

    It’s very clear now that attacker just needs to make CSRF poc with his unused Facebook<\/strong> token generated by target application to send the victim, after\u00a0successful CSRF request attackers social account will get added into\u00a0victims account and attacker can login into victim account with all privileges using his own(attacker) social account.<\/p>\n

    isn’t it was simple one with much impact and turned out the highest payout for that program.<\/p>\n

    So sometimes simple login CSRF can be used to exploit in different ways with different functionality in the application, so it’s always good to be protected from everything.<\/p>\n

     <\/p>\n

     <\/p>\n

     <\/p>\n

     <\/p>\n","protected":false},"excerpt":{"rendered":"

    Hey all \ud83d\ude42 So today I decided to write a new post from one of my recent simple interesting find with a much higher impact, and this is more like a case study than a technical one. so there is an application which has\u00a02 ways to access your account which are as follows: Using email […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[1],"tags":[17,16],"_links":{"self":[{"href":"http:\/\/www.geekboy.ninja\/blog\/wp-json\/wp\/v2\/posts\/341"}],"collection":[{"href":"http:\/\/www.geekboy.ninja\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.geekboy.ninja\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.geekboy.ninja\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/www.geekboy.ninja\/blog\/wp-json\/wp\/v2\/comments?post=341"}],"version-history":[{"count":22,"href":"http:\/\/www.geekboy.ninja\/blog\/wp-json\/wp\/v2\/posts\/341\/revisions"}],"predecessor-version":[{"id":363,"href":"http:\/\/www.geekboy.ninja\/blog\/wp-json\/wp\/v2\/posts\/341\/revisions\/363"}],"wp:attachment":[{"href":"http:\/\/www.geekboy.ninja\/blog\/wp-json\/wp\/v2\/media?parent=341"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.geekboy.ninja\/blog\/wp-json\/wp\/v2\/categories?post=341"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.geekboy.ninja\/blog\/wp-json\/wp\/v2\/tags?post=341"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}