Chaining CSRF with XSS to deactivate Mass user accounts by single click

Hi, everyone

My name is Santosh Kumar Sha, I’m a security researcher from India(Assam). In this article, I will be describing how I was able to deactivate the mass user account via single click by chaining an CSRF bug with XSS to bypass the CSRF protections on deactivate function.

I am now offering 1:1 sessions to share my knowledge and expertise:

topmate.io/santosh_kumar_sha

TOOLS used for the exploitation

1. Subfinder (https://github.com/projectdiscovery/subfinder)

2. httpx (https://github.com/projectdiscovery/httpx)

3. gau(Corben) — https://github.com/lc/gau

4. waybackurls(tomnomnom) — https://github.com/tomnomnom/waybackurls

5. qsreplace(tomnomnom) — https://github.com/tomnomnom/qsreplace)

Story Behind the bug:

This is the write of my Recent bug that i found . While I was doing recon for gathering all urls from internet archives using waybackurls and gau. So started fuzzing the for xss vulnerability and found one reflected xss . I tried to for session cookie stealing for higher impact but the site was using http only and also I found a CSRF bug which was not exploitable directly. So this is the writeup of how i was able to combine the two different bug to deactivated mass user account.