Avoid CSRF

[alromh87]

📊 Metadata *

Bounty URL: https://www.huntr.dev/bounties/1-other-node-login

⚙️ Description *

node-login is a template for quickly building login systems on top of Node.js & MongoDB. It is vulnerable to CSRF attacks in Update and Delete profile actions

💻 Technical Description *

Avoid CSRF by using csrf token using csurf

🐛 Proof of Concept (PoC) *

1. Download and setup node-login
2. Go to http://localhost:3000/signup and create an account
3. Create payload and serve trough web

<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://localhost:3000/home" method="POST">
      <input type="hidden" name="name" value="hacked" />
      <input type="hidden" name="email" value="hacked&#64;test&#46;com" />
      <input type="hidden" name="country" value="Afghanistan" />
      <input type="hidden" name="pass" value="hacked" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

4. Open payload from same browser as logged in user and click on Submit button
5. User data has been tempered with
   

🔥 Proof of Fix (PoF) *

After fix data is unafected as csrf token is requiered for post actions

👍 User Acceptance Testing (UAT)

All functinality is unafected

[mzfr]

Hey, The fix looks good but I just think that instead of showing the complete debug message there should be some small error that won't give away internal paths etc.

[alromh87]

@mzfr thanks for the comment, updated

[mzfr]

Looks good now

[Mik317]

Hi @alromh87 😄,
thanks for the great fix 👍

Could you add the protection also for the Delete action?

Cheers,
Mik

[alromh87]

Hello @Mik317 I think delete action is already taken care of, unless I'm missing another endpoint, you can try with this POC:

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://localhost:3000/delete" method="POST">
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

And you should get:

Before the fix you would get:

Let me know what you think

[huntr-helper]

Congratulations alromh87 - your fix has been selected! 🎉

Thanks for being part of the community & helping secure the world's open source code.
If you have any questions, please respond in the comments section, or hit us up on Discord. Your bounty is on its way - keep hunting!

Come join us on Discord