Sohu focal financial wallet multiple CSRF hijacking of arbitrary accounts and Solutions

Sohu focal financial wallet multiple CSRF hijacking of arbitrary accounts and Solutions

Http://ibank.focus.cn/account/

Token is not set for Multiple sensitive operations in the account.

Set the problem csrf poc:
 

Other operations are the same as above. In addition, if the user forgets the problem, the mailbox is used for retrieval, and the mailbox can also be bound to CSRF.
No. After binding an email address, You can reset the email address.

The payment password, mobile phone binding, and identity authentication can all be hijacked by CSRF. Besides the verification code in the mobile phone binding area, other codes can be CSRF.

However, the only operation with a verification code is a decoration that can be bypassed...




 



It seems that there is no problem. Send a packet to check whether the verification code is correct, and then request to send the SMS package
 



So I tried to replay this request. The returned result is not "Incorrect verification code",:
{"status":"5","msg":"\u9a8c\u8bc1\u7801\u95f4\u9694\u65f6\u95f4\u592a\u77ed\uff0c\u8bf7\u7a0d\u540e\u518d\u8bd5"}


The verification code interval is too short. Please try again later

This should be a request that bypasses the first verification code and directly requests the packet that sends the text message, but each text message has time interval verification.

So I tested the phone number as payload and sent the verification code to ten different phone numbers respectively. There was no prompt such as the time was too short, indicating that the verification was successful (PS: what if I use this to send text messages to millions of people ?)



Although there are time restrictions, you only need to set the packet sending interval,





By the way, CSRF can also be used to send text messages. That is to say, I don't need to send my own packets. I just need to put the link of the text message in the img expression, as long as the person with the Sohu cookie sees the image, he requests the url of the text message.
 
Solution:
1. Add token to sensitive operations

2. perform multiple steps to ensure process integrity. When verifying the next step, determine whether the previous step is successful.