Cross site request forgery (CSRF) leads to Account Takeover.
I am Venkat, a cyber security engineer and Bughunter.
Here I will share how I was able to change anyone’s password in target.com by CSRF Attack.
while I’m testing on a target lets assume target.com, I created an account and testing for functions like password reset, email change nothing works.
There is reset password function in my account its like updating our password as an authenticated user.
I just want to test it too when I click Reset password. Application ask me to enter new password and confirm password.
Updated my password even after I update my password I was still logged in.
So I thought to test for session fixation,
- Captured reset password request in burpsuite and I sent request to repeater For further use.
- Now I Sign-out from application and tried to reset password after sign-out in repeater
- I was able to change password even after sign-out.
I got a vulnerability but its session fixation, I was thinking how to escalate it.
I checked Reset password request properly there is no CSRF Token or Any token to validate User who is trying for password reset.
So I quickly created another account I sign-in on chrome.
I generated CSRF POC for password reset request.
copied it in a text file and I gave extension as .html to open CSRF POC file in chrome.
Now I just opened my CSRF POC file in chrome I was able to reset password for my second account.
Here I Can able to change Anyone’s Password in TARGET.COM