1

The title is a little bit unclear but I had no idea to describe the following issue in there.

I found a vulnerability in a website where I am able to bypass the CSRF protection (Bug Bounty program...). This website uses a csrf cookie and a csrf header. The only thing they do is to compare those 2 values on the server, if they are equal, the server will accept the request.

Example:

[...]
X-CSRFToken: 12345
Referer: https://www.xxx.com
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Cookie: csrftoken=12345;

The header "X-CSRFToken" and the cookie "csrftoken" are equal which means the request will be accepted by the server. This is quite bad because the whole sense of the csrf token is gone. I can choose the value of the token, it just has to be present in the request.

What I'm asking you guys is how to use this in a real world scenario? I can't add a custom header by using a XMLHTTPRequest because I am not SameOrigin.... The only thing I thought of is to find a XSS vulnerability but when I got that I would be able to read the CSRF token anyway...

How to add this Header to really use this kind of vulnerability?

user3348472
  • 41
  • 3
  • 3
    I think your question is almost-but-not-quite a duplicate of this: http://security.stackexchange.com/q/23371/33 , though the answers there should be plenty answer for your question too. Do you think there is something different in your question? – AviD Oct 27 '15 at 10:49
  • Well, I missed that, I'm sorry... This post answers my question. Thank you, sorry for the duplicate. – user3348472 Oct 27 '15 at 10:58

0 Answers0