Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security Fix for POST-based CSRF "project wide" - huntr.dev #810

Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

Security Fix for POST-based CSRF "project wide" - huntr.dev #810

wants to merge 3 commits into from

Conversation

huntr-helper
Copy link

https://huntr.dev/users/alromh87 has fixed the POST-based CSRF "project wide" vulnerability 🔨. alromh87 has been awarded $25 for fixing the vulnerability through the huntr bug bounty program 💵. Think you could fix a vulnerability like this?

Get involved at https://huntr.dev/

Q | A
Version Affected | ALL
Bug Fix | YES
Original Pull Request | 418sec#1
Vulnerability README | https://github.com/418sec/huntr/blob/master/bounties/npm/lets-chat/1/README.md

User Comments:

📊 Metadata *

Bounty URL: https://www.huntr.dev/bounties/1-npm-lets-chat/

⚙️ Description *

Fix CSRF by requiring csrf token for authenticated post routes

💻 Technical Description *

CSRF Token is created during loggin and stored in session, then the token is sent and validated during authorized POST request, if correct token is not provided reuqest is denied.

🐛 Proof of Concept (PoC) *

Install the chat
Create a new user and login
Create a malicious file containing the following CSRF PoC:

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://localtest.me:5000/account/profile" method="POST">
      <input type="hidden" name="display&#45;name" value="HACKED" />
      <input type="hidden" name="first&#45;name" value="HACKED;" />
      <input type="hidden" name="last&#45;name" value="HACKED" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

Victim opens the crafted file) and it's name/display name are changed:

Captura de pantalla de 2020-08-31 23-31-47

Captura de pantalla de 2020-08-31 23-32-30

POC for regenerating keys:

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://localtest.me:5000/account/token/generate" method="POST">
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

Opening this the api key created before will be deleted and another one created (invalidates previously connected applications)
Captura de pantalla de 2020-08-31 23-32-15

🔥 Proof of Fix (PoF) *

Request are now flagged as Unauthorized

Captura de pantalla de 2020-08-31 23-30-29
Captura de pantalla de 2020-08-31 23-30-14

👍 User Acceptance Testing (UAT)

Application continue working normally:

Captura de pantalla de 2020-08-31 23-41-35

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@huntr-helper @alromh87 @JamieSlome