First Bug Bounty
Openredirection + clickjacking + csrf -> Account Takeover
This writeup is about my first bug bounty in which the submission was duplicate, even though they rewarded me for chaining the bugs and reported it with an effective approach of a real-life attack scenario.
First we will discuss about the bugs which I chained together.
Open redirection vulnerabilities arise when an application incorporates user-controllable data into the target of a redirection in an unsafe way. An attacker can construct a URL within the application that causes a redirection to an arbitrary external domain.
Clickjacking is an interface-based attack in which a user is tricked into clicking on actionable content on a hidden website by clicking on some other content in a decoy website
Cross-site request forgery (also known as CSRF) is a web security vulnerability that allows an attacker to induce users to perform actions that they do not intend to perform. It allows an attacker to partly circumvent the same origin policy, which is designed to prevent different websites from interfering with each other.
Now we can go to the target website, we can call it example.com by respecting their privacy.
While browsing through the website using burp suite, I found some open-redirection vulnerabilities, pages vulnerable to clickjacking, page without csrf token and also some other related things.
Most of the vulnerabilities I found on the website were out of scope, so I tried again. The csrf vulnerable page was a password reset page, when I saw it first I thought I can exploit it directly but when I checked the required inputs it requires current password also. After some discussions, I found that if there is password confirmation, then we can’t exploit the csrf directly. So I tried to find other methods to exploit it.
I checked the login page which is vulnerable to clickjacking, and I already have some openredirection also. So I tried to chain it together to a real-life attack scenario.
Here we used example.com, we can use the original login page here and host it somewhere and redirect it through their own website.
- First goto https://www.example.com/?option=oauthredirect&redirect_url=https://example.com here this redirect to example.com
- If we host a fake login page using clickjacking on the login page, we will get the email and current password
- Then we can sent this to password change form, https://www.example.com/etcetc?etc=abcd&Target=PasswordResetForm¶ms=test which is vulnerable to csrf attack
- When the victim enters email and current password and then click on login, the password will get resetted to attacker given password
- Password Changed Successfully
If I left that csrf and clickjacking vulnerabilities when I saw it is out of scope and reported the open redirect only, will not make me satisfied.
So that thought helped me to do this.