Stealing Chat session ID with CORS and execute CSRF attack

Share on facebook
Share on twitter
Share on linkedin
Share on reddit
Share on email

Hello Everyone, Hope you all are healthy and safe. Today’s writeup is my recent find on Bugcrowd private program. This writeup explains how I was able to chain CORS with CSRF attack to steal chat session Id of victim user and send messages on behalf of victim. Without wasting time let’s get into details of the vulnerability.

https://medium.com/media/8e7cfa340e3a88079907ed7f1e82123c/href

In 2nd week of January, while exploring the <redacted> domain. I found that the target domain has in built chat feature. For sending a new message, system will send a POST request like this:

POST /ha/chat/<Chat_Session_ID> HTTP/1.1
Host: <redacted>
User-Agent: XXXXX
Accept: application/json, text/plain, /
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json;charset=utf-8
Host-Site: XXX
Content-Length: 75
Origin: XXXXX
Connection: close
Referer: XXXXXXX

{“content”:”HI”,”event”:”MESSAGE”,”clientSideSequence”:4,”role”:”CUSTOMER”}

On further investigation, I found that this POST request is vulnerable to CSRF attack. So YAY! Attackers can send messages on behalf of Victim user.

https://medium.com/media/7463e9dfd04d0a0e9410cbc5f3300c4a/href

But Wait!! If you observe carefully the end-point includes victim’s chat session_id **/ha/chat/<Chat_Session_ID>** and it has format like this: XXXXXX-CHAT_XXXXXXXXXX–XXXX-XXXX-XXXX-XXXXXXXXXXXX

https://medium.com/media/5c3a6264767e18255f787f8c49b4f39c/href

Now I came so close and don’t want to give up on this. At this moment, I have the complete

Read the article