Posts

Showing posts from July, 2020

Admin Account Takeover - Creating Admin Account Through CSRF and XSS

Image
One of the recent applications that I was working on, had a simple admin portal. Using which one can add new users to the application. Checking the request using burp, there was a CSRF token used. But the token was valid for the entire session. Also, the token was in the cookie and was sent in the body of the request. The application did validate the CSRF token on the server-side. But it used to check if the value of the cookie and the value in the body of the request were the same. For successful exploitation, we need the value of the cookie and it should be passed as a parameter. Looking at the application, there was an XSS found in one of the pages. Which, every user will land into once logged in. Using which I could get the value of the cookie i.e., the CSRF token. Which can be used to trigger the payload and add new users to the application. By changing the type of user to admin ( role = 1 ), it was possible to add admin users to the account. As soon as admin logs into his ac...

OSCP V2 Journey

Image
My Background : I am working as an Information Security Analyst for over 2 years with experience in Vulnerability Assessment and Penetration Testing in the area of Web, Network, Mobile, Thick Client.   Pre-Prep : I started preparing 2 months before I registered for the OSCP Exam. There are good resources online to start the preparation. I think a good place to startwith the TJNull’s OSCP like machine from both HTB and Vulnhub. Purchased HTB VIP and tried doing most of the boxes mentioned in it. It was a good start to practice the enumeration techniques.   Updated list from TJNull’s OSCP like machines : HTB machines   Vunhub Machines   After 2 months of working on HTB and Vulnhub, I finally registered for the OSCP. I took 2 months LAB access in April 2020.   As soon as i got access,I went straight off to the PDF and the Videos. It took me almost 15 days to complete the PDF, videos and all the exercises with reporting and I was left with ...