How I CSRF’d My First Bounty!

Hello Everyone!

This is my first blog post, and I decided to start off by sharing about my recent finding. It was a CSRF issue, which earned me $500!

What makes this even more special for me is that it was my first bounty ever!

Introduction to CSRF:
Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated.

Initial Reconnaissance Phase
So, I got an invitation for this private program on Bugcrowd, and it was an e-commerce website.

During my initial recon, I noticed that the users can add their address into their account. So, I quickly checked the request and there was some token named form_key that was being used to protect the users from CSRF attack.

form_key to protect CSRF attacks

So, the next thought which came to my mind was, is there any server side validation on this token?

I quickly logged into my second test account, generated a CSRF PoC, removed the token for this particular request, and sent it to the victim.

And the final request was something like this:

Removed the form_key value in the request

Did you notice something? I have removed the form_key value from the PoC, and not the entire input tag.

I sent this to the victim, and when the victim clicked on “Submit”, the address was added to his account, which was the attacker’s address.

Attacker’s address added to victim account

Boom! Like I suspected, there was no server-side validation on form_key token.

So, the next time you come across a CSRF token, be sure to perform this kind of validation.

Timeline:

Issue reported: 06 Nov 2019

Triaged as P3: 09 Nov 2019

Bounty received: 05 Jan 2020

Thanks for reading. Hope it helps

.

Connect me on twitter https://twitter.com/_rajesh_ranjan_