1-Reusable CSRF Token:
The CSRF token "that verify each and every solicitation made by the client" which can be likewise found in the solicitation body of each and every solicitation with the boundary name "Auth" get changed with each solicitation made by client for safety efforts, however after a profound examination I figured out that the CSRF Auth is Reusable for that particular client email address or username, this implies In the event that an aggressor found any of these CSRF Tokens, He can make activities in the act of any signed in client.
Gee, it appears to be intriguing yet not exploitable, as it is basically impossible for an assailant to get the "Auth" esteem from a casualty meeting.
2-Bypassing the CSRF Auth Framework:
The CSRF Auth checks each and every solicitation of that client, So imagine a scenario where an aggressor "not signed in" attempts to make a "send cash" demand then PayPal will request that the assailant give his email and secret key, The aggressor will give the "Casualty Email" and ANY secret phrase, Then, at that point, he will catch the solicitation, The solicitation will contain a Legitimate CSRF Auth token Which is Reusable and Can approve this particular client demands. Upon Additional Examination, We have figured out that an Aggressor can get the CSRF Auth which can be substantial for ALL clients, by capturing the POST demand from a page that give an Auth Token before the Signing in process, really look at this page for the enchanted CSRF Auth "https://www.paypal.com/eg/cgi-receptacle/webscr?cmd=_send-cash". Right now the aggressor Can CSRF "nearly" any solicitation on act of this client.
The application produces a legitimate "Auth" token for a logged-out client!
Through assessment of the secret key change process, he found that an aggressor can NOT Change the casualty secret key without responding to the Security Questions set by client, Likewise the client himself can NOT change the security inquiries without entering the secret phrase!
3-ByPassing the Security Questions Change:
The underlying system of "setting" security questions isn't secret word safeguarded and is reusable
After additional examination, saw that the solicitation of setting up the security questions "which is started by the client while joining" isn't secret word safeguarded, and it very well may be reused to reset the security inquiries up without giving the secret word, consequently, Equipped with the CSRF Auth, an aggressor can CSRF this interaction as well and change the casualty's Security questions.
As of now, An assailant can lead a designated CSRF assault against a PayPal clients and take a full command over his record Consequently, An aggressor can CSRF every one of the solicitations including yet not restricted to:
1-Add/Eliminate/Affirm Email address
2-Add completely favored clients to business account
3-Change Security questions
4-Change Charging/Transportation Address
5-Change Installment strategies
6-Change client settings(Notifications/Portable settings) … … … … and the sky is the limit from there.
The CSRF token "that verify each and every solicitation made by the client" which can be likewise found in the solicitation body of each and every solicitation with the boundary name "Auth" get changed with each solicitation made by client for safety efforts, however after a profound examination I figured out that the CSRF Auth is Reusable for that particular client email address or username, this implies In the event that an aggressor found any of these CSRF Tokens, He can make activities in the act of any signed in client.
Gee, it appears to be intriguing yet not exploitable, as it is basically impossible for an assailant to get the "Auth" esteem from a casualty meeting.
2-Bypassing the CSRF Auth Framework:
The CSRF Auth checks each and every solicitation of that client, So imagine a scenario where an aggressor "not signed in" attempts to make a "send cash" demand then PayPal will request that the assailant give his email and secret key, The aggressor will give the "Casualty Email" and ANY secret phrase, Then, at that point, he will catch the solicitation, The solicitation will contain a Legitimate CSRF Auth token Which is Reusable and Can approve this particular client demands. Upon Additional Examination, We have figured out that an Aggressor can get the CSRF Auth which can be substantial for ALL clients, by capturing the POST demand from a page that give an Auth Token before the Signing in process, really look at this page for the enchanted CSRF Auth "https://www.paypal.com/eg/cgi-receptacle/webscr?cmd=_send-cash". Right now the aggressor Can CSRF "nearly" any solicitation on act of this client.
The application produces a legitimate "Auth" token for a logged-out client!
Through assessment of the secret key change process, he found that an aggressor can NOT Change the casualty secret key without responding to the Security Questions set by client, Likewise the client himself can NOT change the security inquiries without entering the secret phrase!
3-ByPassing the Security Questions Change:
The underlying system of "setting" security questions isn't secret word safeguarded and is reusable
After additional examination, saw that the solicitation of setting up the security questions "which is started by the client while joining" isn't secret word safeguarded, and it very well may be reused to reset the security inquiries up without giving the secret word, consequently, Equipped with the CSRF Auth, an aggressor can CSRF this interaction as well and change the casualty's Security questions.
As of now, An assailant can lead a designated CSRF assault against a PayPal clients and take a full command over his record Consequently, An aggressor can CSRF every one of the solicitations including yet not restricted to:
1-Add/Eliminate/Affirm Email address
2-Add completely favored clients to business account
3-Change Security questions
4-Change Charging/Transportation Address
5-Change Installment strategies
6-Change client settings(Notifications/Portable settings) … … … … and the sky is the limit from there.
