[Critical - IBM] Bypass CSRF protection lead to account takeover



What is CSRF?
CSRF is an attack when tricks the victim to send a malicious request to the website which affected with CSRF vulnerability this request can be used to send a request to change the Username, Password, Emails and etc...
What did I found on IBM?
when I test IBM main domain I send a request to change my email and I notice that the website send a GET request to change the email but the cool thing that no CSRF tokens on the request so I said this is CSRF :P, but when I try to exploit the CSRF attack it gives me an error so I was like:

but I told to my self I should know the issue and solve it so I digging more and notice that the error was because the Referer Header the website just accept this value when changing the Email:

https://www.ibm.com/ibmweb/myibm/profile/profile-edit.jsp )
the website protect the request using this method to know if the request from his website or from the external website now we know the issue it’s the time to bypass it after few hours I read a blog from @zseano now when I try to add my website before the IBM domain on the Referer Header and it’s worked and the email changed so I create a path on my website to be like the valid value on the Referer the path is:

https://mywebsite.com/www.ibm.com/ibmweb/myibm/profile/profile-edit.jsp.php )

and I write a simple code on the PHP file to redirect the victim to this path:

https://www.ibm.com/ibmweb/myibm/account/sendmail?locale=us-en&email=attackeremail@email.com )

to change his email to mine and gain Account takeover when I bypass it I was like:

now the POC Video:

Impact
this issue can be used to steal the accounts of IBM users by just open the attacker website, this issue can be used to steal the IBM staff and this will be used to gain damage to the company.
I hope this topic helped someone and I want to thank @zseano, thank you for reading.

Comments

  1. Good Work, But Where Is The Mitigation or a hint for how to mitigate this??

    ReplyDelete

Post a Comment

Popular posts from this blog

[BlackHatMEA-CTF 2024] cockatoo PWN challenge

[WEB] ASC Wargame CTF 2024 - Challenge Hot Proxy

Lets Analysis STM32F103 Chip Firmware from Attify