Fix Post based CSRF

[alromh87]

📊 Metadata *

Bounty URL: https://www.huntr.dev/bounties/1-npm-lets-chat/

⚙️ Description *

Fix CSRF by requiring csrf token for authenticated post routes

💻 Technical Description *

CSRF Token is created during loggin and stored in session, then the token is sent and validated during authorized POST request, if correct token is not provided reuqest is denied.

🐛 Proof of Concept (PoC) *

Install the chat
Create a new user and login
Create a malicious file containing the following CSRF PoC:

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://localtest.me:5000/account/profile" method="POST">
      <input type="hidden" name="display&#45;name" value="HACKED" />
      <input type="hidden" name="first&#45;name" value="HACKED;" />
      <input type="hidden" name="last&#45;name" value="HACKED" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

Victim opens the crafted file) and it's name/display name are changed:

POC for regenerating keys:

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://localtest.me:5000/account/token/generate" method="POST">
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

Opening this the api key created before will be deleted and another one created (invalidates previously connected applications)

🔥 Proof of Fix (PoF) *

Request are now flagged as Unauthorized

👍 User Acceptance Testing (UAT)

Application continue working normally:

[Mik317]

LGTM 😄 🎉

Cheers,
Mik

[ghost]

I'm curious why we aren't using a library for CSRF tokens? Since that way all of the token generation is covered (edge cases like collisions etc). Could use csurf or just plain csrf

[alromh87]

Tried csurf but it wasn't validating the token

[ghost]

Any luck with csrf?

[alromh87]

Done 😉

Thanks I was looking for something like this

[ghost]

Nice one thanks! Looks good to me - just waiting for a sheriff to check and we'll merge it 😄

[Mik317]

Really good fix 😄 🎉

Cheers,
Mik

[huntr-helper]

Congratulations alromh87 - your fix has been selected! 🎉

Thanks for being part of the community & helping secure the world's open source code.
If you have any questions, please respond in the comments section. Your bounty is on its way - keep hunting!