First Bug Bounty

Chaining Bugs to get my First Bug Bounty

ag3n7

Published in

InfoSec Write-ups

4 min readFeb 8, 2023

Openredirection + clickjacking + csrf -> Account Takeover

Hola Hackers,

This writeup is about my first bug bounty in which the submission was duplicate, even though they rewarded me for chaining the bugs and reported it with an effective approach of a real-life attack scenario.

Let’s Start

First we will discuss about the bugs which I chained together.

Open Redirection
Open redirection vulnerabilities arise when an application incorporates user-controllable data into the target of a redirection in an unsafe way. An attacker can construct a URL within the application that causes a redirection to an arbitrary external domain.
Clickjacking
Clickjacking is an interface-based attack in which a user is tricked into clicking on actionable content on a hidden website by clicking on some other content in a decoy website
CSRF
Cross-site request forgery (also known as CSRF) is a web security vulnerability that allows an attacker to induce users to perform actions that they do not intend to perform. It allows an attacker to partly circumvent the same origin policy, which is designed to prevent different websites from interfering with each other.

source: https://portswigger.net/

Now we can go to the target website, we can call it example.com by respecting their privacy.

While browsing through the website using burp suite, I found some open-redirection vulnerabilities, pages vulnerable to clickjacking, page without csrf token and also some other related things.

Most of the vulnerabilities I found on the website were out of scope, so I tried again. The csrf vulnerable page was a password reset page, when I saw it first I thought I can exploit it directly but when I checked the required inputs it requires current password also. After some discussions, I found that if there is password confirmation, then we can’t exploit the csrf directly. So I tried to find other methods to exploit it.

I checked the login page which is vulnerable to clickjacking, and I already have some openredirection also. So I tried to chain it together to a real-life attack scenario.

The summary of the attack was that we redirected to the clickjacking vulnerable login page via openredirection and then the user enters their username and password, it directly passed to the password reset form using javascript which successfully changes the password of the victim to the attacker’s password.

Here we used example.com, we can use the original login page here and host it somewhere and redirect it through their own website.

source: https://github.com/shifa123/clickjackingpoc

And when the user enters the credentials, it is directly sent to the password reset form via javascript. We can use the csrf poc generated from burp suite while performing a password reset here and combining it with the page makes everything simple and the password reset will happen at one click after entering the credentials

Program flow:

First goto https://www.example.com/?option=oauthredirect&redirect_url=https://example.com here this redirect to example.com
If we host a fake login page using clickjacking on the login page, we will get the email and current password

Then we can sent this to password change form, https://www.example.com/etcetc?etc=abcd&Target=PasswordResetForm&params=test which is vulnerable to csrf attack
When the victim enters email and current password and then click on login, the password will get resetted to attacker given password