Josh axiom215

## csrf_jwt_redirect_leak.md

      
              1 file
            
          
              12 forks
            
          
              4 comments
            
          
              52 stars
            
          
                stefanocoding
                / csrf_jwt_redirect_leak.md
            
            
              Created
              May 15, 2019 23:46
            
          
    You do not need to run 80 reconnaissance tools to get access to user accounts

An open redirect was almost everything I needed in two different bug bounty programs to get access to user accounts. In one of the cases a JWT was leaked, and in the other the CSRF token was leaked. The issue was mostly the same in both cases: not validating, or URI encoding, user input in the client-side, and sending sensitive information to my server using an open redirect.
CSRF token bug


There is an open redirect on https://example.com/redirect?url=https://myserver.com/attack.php
User loads https://example.com/?code=VALUE
Javascript code in https://example.com/ makes a GET request to https://example.com/verify/VALUE with a header x-csrf-token set to the CSRF token for the session of the user
GET /verify/VALUE HTTP/1.1
Host: example.com


## scanio.sh
#!/bin/bash
# Usage : ./scanio.sh <save file>
# Example: ./scanio.sh cname_list.txt

# Premium
function ech() {
  spinner=( "|" "/" "-" "\\" )
  while true; do
    for i in ${spinner[@]}; do
      echo -ne "\r[$i] $1"
	#!/bin/bash
	# Usage : ./scanio.sh <save file>
	# Example: ./scanio.sh cname_list.txt

	# Premium
	function ech() {
	spinner=( "\|" "/" "-" "\\" )
	while true; do
	for i in ${spinner[@]}; do
	echo -ne "\r[$i] $1"