CSRF with IDOR - A Deadly Combo

Summary :

I was invited on a private program on HackerOne and there were so many domains in scope so I thought of testing some of them. In one of the domain I found this vulnerability which is Cross Site Request Forgery, when combined with Insecure Direct Object Reference was able to delete anyone’s account.

I was searching for different vulnerabilities on that domain and I saw that there are two different types of account you can register yourself with :

1. Open Source Account
2. Trial Account

In trial account you get the trial of 29 days and you also have the option to cancel it, so I thought of trying Insecure Direct Object Reference attack first but it didn't work so moving on with CSRF it was successful but with the help of IDOR.

When I registered myself using trial account there was an option of “Cancel Enterprise”, now when you click this option the account will be deleted automatically. In the request I found there were 2 parameters googleAnalyticsId=<Value>&mktToken=<Value>, but when I captured the request of the another account in the private browser there were only parameters with no value passed for eg. (googleAnalyticsId=&mktToken=), so I thought it might be vulnerable to CSRF attack but the GET request was having the username of the account GET /userName1/account/cancelTrial/?&googleAnalyticsId=&mktToken= so I thought of crafting a CSRF request by changing the username GET /userName2/account/cancelTrial/?&googleAnalyticsId=&mktToken= but still something was left so I quickly checked the referrer header which was Referrer: https://example.com/userName1/account/account so I changed the referrer header to Referer: https://example.com/userName2/account/account in my CSRF attack and the attack was successful.

What is CSRF ?

Cross-site request forgery (also known as CSRF) is a web security vulnerability that allows an attacker to induce users to perform actions that they do not intend to perform. It allows an attacker to partly circumvent the same origin policy, which is designed to prevent different websites from interfering with each other.

What is IDOR ?

Insecure direct object references (IDOR) are a type of access control vulnerability that arises when an application uses user-supplied input to access objects directly.

How I found this vulnerability ?

1. I went to https://example.com from two different browsers (normal & private)
2. Then I created trial accounts on both the browsers
3. I verified the links and went to my dashboard
4. I then visited https://example.com/<userName2>/account/ account link from the second account (second browser), and here I found an option of Cancel Enterprise (trial) account

Account1

Account2

Account Deletion

5. Then I clicked on the button and captured the request using burp suite

cancelTrial/Deletion Request

Here you can see I have removed the value of googleAnalyticsId=&mktToken= parameters.

6. Then I changed the username to username in first browser and in the GET request URL and Referrer header and crafted the CSRF PoC

Changing Values

7. Then I generated a CSRF poc and saved it as .html

CSRF PoC

PoC - (Proof-Of-Concept)

8. I ran it and reloaded the page in the first browser account and the account got deleted

Running PoC

Account Deleted

Here the email ID of the target account was sovovem334@yektara.com (Temp Mail)

Email Of Target Account

For the better understanding of the vulnerability I compared the request of both the accounts (account1 & account2) which were open on two different browsers (Firefox & Firefox Private). I compared the request using “Comparer” module of BurpSuite.

Comparer

NOTE : Here pentesterworld is the attacker’s account and defendingera is the victim’s account.

Mitigation :

A proper CSRF token should be added in a request and should be validated on client as well as server side.