[Critical] Bypass CSRF protection on IBM

Mohamed Sayed
InfoSec Write-ups
Published in
2 min readOct 9, 2018
IBM

What is CSRF attack?
CSRF is an attack that tricks the victim to send a malicious request this request can change the victim information like Email, Username, Passwords and etc…

What did I found on IBM?
when trying to change my email on my test account I notice that the website change it by using a GET request
( https://www.ibm.com/ibmweb/myibm/account/sendmail?locale=us-en&email=NEW_EMAIL )
this link used to change the email so I didn’t notice any CSRF token to protect the website from the CSRF attack I try to exploit it but it’s not worked because of the website check the Referer Header :( I was like:

but I tried more and after a few hours I found a Bypass to this protection when I change the Referer Header value it returned an error but when I use this value it returned true
( https://www.ibm.com/ibmweb/myibm/profile/profile-edit.jsp )
so I tried to spoof this protection and I found a bypass by using this URL
( http://my_website/www.ibm.com/ibmweb/myibm/profile/profile-edit.jsp.php )
what I did is make the valid URL as a path on my website so now the request will be sent from ( profile-edit.jsp.php )to the IBM website to change the email when I try this method it worked I was like:

So now I can steal the accounts of IBM users by just visit my website :P.

POC Video:

Report Sent: Sep 14th
Triaged on: Sep 28th
Solved on: Oct 8th

I hope that this topic helped someone and I want to thank @zseano for helping me.

Sign up to discover human stories that deepen your understanding of the world.

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

--

--

Published in InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. Subscribe to our weekly newsletter for the coolest infosec updates: https://weekly.infosecwriteups.com/

Written by Mohamed Sayed

My name is Mohamed my nickname is Flex, I’m a Bug Hunter at HackerOne and Synack Red Team Member.

Responses (1)

What are your thoughts?