JSON CSRF attack on a Social Networking Site [HackerOne Platform]

Before describing the actual attack scenario, let us first discuss what is CSRF attack?

Basically, let’s consider that a victim has an active session on a website and the victim has some details in his/her settings page on that website, so that no CSRF token is implemented for the requests that go out from the settings page. When someone tries to update the content in the settings page, then an attacker can design an HTML file or an image containing the details to be updated in the victim’s settings page using <form>, <input> etc. in HTML. As soon as the victim opens the image or the HTML file, the content in his/her settings page will get updated with the attacker’s content.


The two conditions that must be satisfied for this attack to be carried out is that – firstly, there should not be any token going with the requests from that site and secondly the victim should have an active session on that site.


A year ago, I was searching for bugs in this site m.badoo.com on HackerOne platform, where I found this request https://m.badoo.com/api.phtml?SERVER_DELETE_ACCOUNT in Burp Suite in which the data was sent in JSON format. As you can guess, it was a request to delete the account of a registered user. Similarly, I got another one which was https://m.badoo.com/api.phtml?SERVER_RESET_TRUSTED_NETWORK . It was meant to delete all the contacts of a user on that site, so when these requests were seen, I noticed that no CSRF token was being sent along with these requests. But the problem was that the data was sent in JSON and there had to be a way to generate an HTML file for the CSRF POC, so, I designed two HTML files: one for erasing imported contacts and another one for deleting an account on m.badoo.com. But, as the content-type was JSON so, the parser introduced “=” at the end of content in the header. This became a problem for the attack to trigger but you can easily bypass such parameters by adding your own pair of values at the end, like “ignore_me”:”’ value=’test”. The HTML code [Erasing Contacts] has been shown below:


The other thing which requires to be mentioned here is that the entire JSON payload passed in the name parameter will not be accepted as content-type JSON until we mention enctype=”text/plain” in the form action. So, in a way it was slightly different from a basic HTML form that we generate for CSRF.

The moral of this finding is that if the request is going in JSON format, then just use encoding-type as text/plain and bypass the “=” that is automatically appended at the end of the content in the request. Below is the response in the browser after the victim opened the HTML code in his/her browser

As seen in the above image, when the victim finally opened the HTML file in the browser, the attack was successful and he could see a text “Your contacts are being erased, this could take up to 5 minutes.” Similarly, I got the output for deleting any user’s account from badoo by exploiting this vulnerability on the mobile site of badoo.


The following two tabs change content below.
Sahil Tikoo

Sahil Tikoo

Sahil Tikoo

Latest posts by Sahil Tikoo (see all)

Be the first to comment

Leave a Reply

Your email address will not be published.