Posts

Showing posts from June, 2017

Let’s steal some tokens!

Image
This article was originally posted on Seekurity Blog: https://www.seekurity.com/blog/general/lets-steal-some-tokens/  Hey There, How you doing? Good? Cool! In this blog post I will be talking about my experience with minor bugs chained together to steal sensitive tokens. #1. Stealing CSRF tokens through Google Analytics. While randomly testing things on apps.shopify.com, I landed at some random app page and hit the  Write a review  button, I wasn’t logged in so I was redirected to the login page and after logging in I was redirected to the application page again. Ok, that’s normal. However, what wasn’t normal is that the URL I got redirected to contained this GET parameter  authenticity_token=[CSRF_TOKEN] . Yummy!!! I know Shopify allow you to add rich text to your application’s description,so I just thought I will load an image from my server and get the token from the referer header, or add a link to it and trick the victim to click it. Yup, that didn’t work, the