Cisco Meraki ajax based csrf

Hello friends 🙂 This is the writeup of my  Cisco Meraki findings  .I was just 😉 trying the different platform for a change  so i logged in  and was playing the game of request and resonse so after few back and forth of requests it was clear that’s its  an ajax based web app  now i started trying for standard security issues like xss, csrf ,injections etc . so finally i got one in which i was able to disconnect the admin from his own account .

[+]Abstract
when you will remove the token from the ajax request still request was getting completed so i checked again and it wasn’t validating the xsrf token so it was a csrf

[+]Poc Challenge
Thing is  that you can easily create poc via burp for those web apps which are sending their anti_csrf tokens via their body but sometimes you have to struggle for those web app who send their csrf tokens via header specially ajax based like “X-XSRF-Token”:”value “;

So now i have to create the Poc manually so i coded this
var request =new XMLHttpRequest();
request.open(‘POST’,”url”,true); // the post url where the  web app was sending the data       //request for removal

request.send();
request.log();

but ajax has its own security policies to be satisfied first  !
Same Origin Policy on AJAX

The same origin policy dictates that an AJAX object’s ability to fully communicate on the user’s behalf is possible assuming the following conditions are met
: ►The protocol used by the AJAX object must be identical to the protocol of the origin page.
► The target port of the AJAX object must be identical to the port of the origin page.
► The domain of the host and the domain of the AJAX object’s target host must be identical

the only thing to do was to use overly permissive browser  ===>  IE
So it worked

Video poc :

[+]Reported

[+] Fixed

Hope this write-up  was helpful
Regards
vishwaraj

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s