Admin Account Takeover - Creating Admin Account Through CSRF and XSS
One of the recent applications that I was working on, had a simple admin portal. Using which one can add new users to the application. Checking the request using burp, there was a CSRF token used. But the token was valid for the entire session. Also, the token was in the cookie and was sent in the body of the request. The application did validate the CSRF token on the server-side. But it used to check if the value of the cookie and the value in the body of the request were the same. For successful exploitation, we need the value of the cookie and it should be passed as a parameter. Looking at the application, there was an XSS found in one of the pages. Which, every user will land into once logged in. Using which I could get the value of the cookie i.e., the CSRF token. Which can be used to trigger the payload and add new users to the application. By changing the type of user to admin ( role = 1 ), it was possible to add admin users to the account. As soon as admin logs into his ac