How i was able to forge request across the site
The CSRF that i thought would never get paid!!!
Okay guies , thanks for going though my blog , hope so i have helped in in learning something new :)
This time i am going to let you know the very basic style CSRF attack , i have worked in many bug bounties program and more of them are too much private and i am unable to disclose those reports over here.
Somehow this program has become so how public and many reports i have been seeing in blogs , so today i am going to let you know the very basic CSRF attack , which has no complication nothing , it's a very simple CSRF. So let's begin......
Here was this site : click! click! Bang Bang! in which i was just going through and i saw that if i send any request and intercept it than it was sending all the POST parameter values without a Anti-Forge token , which makes me go like......
So i checked if there is any Header related to the CSRF but no there wasn't and i thought how come this much simple bug will get bounty? and in other hand if it is that simple than , there is a highest chance of possibilities that someone must have reported because we bug hunter , we usually tests XSS and CSRF first(atleast in my opinion , i do that first). I was thinking like let's report it and take a chance to see if someone has reported it or not....there is a naughty feeling all around as i know this must have been submitted by someone else...
So i went ahead and reported with a proper proof of concept and suggestion for mitigation....to which i got a reply from their security team and that made me flabbergasted.
You too will get aback as you read the below mail:
So that day i realized two things , one is that people do care about security vulnerability for sure and two is that a proper and well documented report can help you get lots of money + respect for understanding the bug from deep and for that Security analyst will definitely appreciate you.
I won't be able to disclose my report because we all have unique style of writing reports and it should stay the way it is , but all i would say that if you are writing a report do include request response body if necessary , consequences and mitigation , do provide a proper POC(obviously most important else report will be going to TRASH).
One of my principle rule is that if a security person is saying that this is what we can pay , never ask them for raising it for more that really creates a bad impression and also if they are not capable of paying more than they will also feel bad about it. So please avoid this type of situation.
This was a bonus reward as i don't deserve it , because someone has already reported it and mine was a definite duplicate but somehow i got paid for writing in a report that made them feel like i really deserve it.
Thank you so Much Security Team!!!
Here is the POC Video:
This was a really lucky day for me :)
Comments
Post a Comment