[Critical] Bypass CSRF protection on IBM

-


What is CSRF?
CSRF is an attack when tricks the victim to send a malicious request to the website which affected with CSRF vulnerability this request can be used to send a request to change the Username, Password, Emails and etc...
What did I found on IBM?
when I test IBM main domain I send a request to change my email and I notice that the website send a GET request to change the email but the cool thing that no CSRF tokens on the request so I said this is CSRF :P, but when I try to exploit the CSRF attack it gives me an error so I was like:



but I told to my self I should know the issue and solve it so I digging more and notice that the error was because the Referer Header the website just accept this value when changing the Email:

https://www.ibm.com/ibmweb/myibm/profile/profile-edit.jsp )

the website protect the request using this method to know if the request from his website or from the external website now we know the issue it’s the time to bypass it after few hours I read a blog from @zseano now when I try to add my website before the IBM domain on the Referer Header and it’s worked and the email changed so I create a path on my website to be like the valid value on the Referer the path is:

https://mywebsite.com/www.ibm.com/ibmweb/myibm/profile/profile-edit.jsp.php )

and I write a simple code on the PHP file to redirect the victim to this path:

https://www.ibm.com/ibmweb/myibm/account/sendmail?locale=us-en&email=attackeremail@email.com )

to change his email to mine and gain Account takeover when I bypass it I was like:

now the POC Video:

Impact
this issue can be used to steal the accounts of IBM users by just open the attacker website, this issue can be used to steal the IBM staff and this will be used to gain damage to the company.
I hope this topic helped someone and I want to thank @zseano, thank you for reading.

Comments

Post a Comment

Popular posts from this blog

HITB2018DXB Pre-Conf CTF | Write up

-
Image
In this topic, I will share with your the write-up about the HITB2018DXB Pre-Conf CTF from Cyber Talents I will solve the web security challenges. First challenge [ who am i for 50 points] : at the first when we open the challenge we will found a login form so the first thing I tried to do it's open the source and look on it and I found that so I used this account to enter the panel but I found that I should be an admin to see the flag I think for a few minutes and I try to see the cookies and I found this the value is encoded with base64 so when I decode it I found this value  login=Guest now I changed the Guest to admin and encode it again and I tried to open the page again and I found the flag the flag is:  FLag{B@D_4uTh1Nt1C4Ti0n} ----------- The second challenge [Dark project for 100 points]: when you open the challenge you will find that there is a page when you open one from it there is a new parameter and the page name will be the v
Read more

How to start on web applications security

-
Image
Summary: hey guys I hope you are fine, now I am going to talk about how to start with Web applications security. now if you want to learn something from someone but this guy doesn’t speak the same language of you what will you do?…….yes…you will learn his language to learn from him, it’s the same with web applications now if you want to start “security web application” you should learn how it works, learn it’s language. Now I will talk about the programming language: There are a lot of programming languages you can use Java, ASP, Perl, Ruby, Python, and PHP but the best one is PHP because most of the web applications use it but the other languages have a good future now you learned PHP to understand what website say :D, now you should learn a programming language for the Database to use it with PHP now the Database is something that the website can’t work without it. so you can learn MySQL it’s good but there are others you can search about them “Google Is Your F
Read more

Write-Up || Quals: Saudi and Oman CTF 2019 Web Challenges

-
Image
Welcome Guys, I will solve the web challenges on the Quals of Saudi and Oman CTF 2019 I will solve it on the video but I will talk about the challenges first. The First Challenge is  Maria it's a Hard one with 200 points, this challenge is a SQL injection challenge the first thing you should found the field which you will inject your payload on it if we try to delete the cookie we will see the SQL query which adds your IP to the database so we will inject the IP to get the information from the DB we need the Maria's IP address so we will dump it and we will see that on the video after that when we add the IP we should add the cookies and we will use the cookies from set-cookie header on the response The Second Challenge is  Back to basics  it's an Easy one with 50 points if we try to open the challenge link we will be redirected to Google so we should open it with another way so I used Burp to catch the request but I didn't find anything interesting on the p
Read more