[🐛] CSRF Issue

[headfullofciphers]

🐛 Bug report

Description

While doing CSRF challenge (with or without 'solution' code) 2 errors are presented:
Error: Blocked illegal activity by ::ffff:127.0.0.1
Error [ERR_HTTP_HEADERS_SENT]: Cannot set headers after they are sent to the client

Is this a regression?

Don't know

🔬 Minimal Reproduction

1. Login as a user
2. go to http://htmledit.squarefree.com/
3. paste 'solution code'
4. error is visible in the npm console

🔥 Exception or Error

Error: Blocked illegal activity by ::ffff:127.0.0.1
    at D:\juice-shop-11.0.1_node12_win32_x64\juice-shop_11.0.1\routes\updateUserProfile.js:24:12
    at Layer.handle [as handle_request] (D:\juice-shop-11.0.1_node12_win32_x64\juice-shop_11.0.1\node_modules\express\lib\router\layer.js:95:5)
    at next (D:\juice-shop-11.0.1_node12_win32_x64\juice-shop_11.0.1\node_modules\express\lib\router\route.js:137:13)
    at Route.dispatch (D:\juice-shop-11.0.1_node12_win32_x64\juice-shop_11.0.1\node_modules\express\lib\router\route.js:112:3)
    at Layer.handle [as handle_request] (D:\juice-shop-11.0.1_node12_win32_x64\juice-shop_11.0.1\node_modules\express\lib\router\layer.js:95:5)
    at D:\juice-shop-11.0.1_node12_win32_x64\juice-shop_11.0.1\node_modules\express\lib\router\index.js:281:22
    at Function.process_params (D:\juice-shop-11.0.1_node12_win32_x64\juice-shop_11.0.1\node_modules\express\lib\router\index.js:335:12)
    at next (D:\juice-shop-11.0.1_node12_win32_x64\juice-shop_11.0.1\node_modules\express\lib\router\index.js:275:10)
    at D:\juice-shop-11.0.1_node12_win32_x64\juice-shop_11.0.1\routes\verify.js:143:3
    at Layer.handle [as handle_request] (D:\juice-shop-11.0.1_node12_win32_x64\juice-shop_11.0.1\node_modules\express\lib\router\layer.js:95:5)
    at trim_prefix (D:\juice-shop-11.0.1_node12_win32_x64\juice-shop_11.0.1\node_modules\express\lib\router\index.js:317:13)
    at D:\juice-shop-11.0.1_node12_win32_x64\juice-shop_11.0.1\node_modules\express\lib\router\index.js:284:7
    at Function.process_params (D:\juice-shop-11.0.1_node12_win32_x64\juice-shop_11.0.1\node_modules\express\lib\router\index.js:335:12)
    at next (D:\juice-shop-11.0.1_node12_win32_x64\juice-shop_11.0.1\node_modules\express\lib\router\index.js:275:10)
    at D:\juice-shop-11.0.1_node12_win32_x64\juice-shop_11.0.1\routes\verify.js:74:3
    at Layer.handle [as handle_request] (D:\juice-shop-11.0.1_node12_win32_x64\juice-shop_11.0.1\node_modules\express\lib\router\layer.js:95:5)
    at trim_prefix (D:\juice-shop-11.0.1_node12_win32_x64\juice-shop_11.0.1\node_modules\express\lib\router\index.js:317:13)
    at D:\juice-shop-11.0.1_node12_win32_x64\juice-shop_11.0.1\node_modules\express\lib\router\index.js:284:7
    at Function.process_params (D:\juice-shop-11.0.1_node12_win32_x64\juice-shop_11.0.1\node_modules\express\lib\router\index.js:335:12)
    at next (D:\juice-shop-11.0.1_node12_win32_x64\juice-shop_11.0.1\node_modules\express\lib\router\index.js:275:10)
    at logger (D:\juice-shop-11.0.1_node12_win32_x64\juice-shop_11.0.1\node_modules\morgan\index.js:144:5)
    at Layer.handle [as handle_request] (D:\juice-shop-11.0.1_node12_win32_x64\juice-shop_11.0.1\node_modules\express\lib\router\layer.js:95:5)
    at trim_prefix (D:\juice-shop-11.0.1_node12_win32_x64\juice-shop_11.0.1\node_modules\express\lib\router\index.js:317:13)
    at D:\juice-shop-11.0.1_node12_win32_x64\juice-shop_11.0.1\node_modules\express\lib\router\index.js:284:7
    at Function.process_params (D:\juice-shop-11.0.1_node12_win32_x64\juice-shop_11.0.1\node_modules\express\lib\router\index.js:335:12)
    at next (D:\juice-shop-11.0.1_node12_win32_x64\juice-shop_11.0.1\node_modules\express\lib\router\index.js:275:10)
    at jsonParser (D:\juice-shop-11.0.1_node12_win32_x64\juice-shop_11.0.1\server.js:255:3)
    at Layer.handle [as handle_request] (D:\juice-shop-11.0.1_node12_win32_x64\juice-shop_11.0.1\node_modules\express\lib\router\layer.js:95:5)
Error [ERR_HTTP_HEADERS_SENT]: Cannot set headers after they are sent to the client
    at ServerResponse.setHeader (_http_outgoing.js:518:11)
    at ServerResponse.header (D:\juice-shop-11.0.1_node12_win32_x64\juice-shop_11.0.1\node_modules\express\lib\response.js:771:10)
    at ServerResponse.location (D:\juice-shop-11.0.1_node12_win32_x64\juice-shop_11.0.1\node_modules\express\lib\response.js:888:15)
    at D:\juice-shop-11.0.1_node12_win32_x64\juice-shop_11.0.1\routes\updateUserProfile.js:26:9
    at Layer.handle [as handle_request] (D:\juice-shop-11.0.1_node12_win32_x64\juice-shop_11.0.1\node_modules\express\lib\router\layer.js:95:5)
    at next (D:\juice-shop-11.0.1_node12_win32_x64\juice-shop_11.0.1\node_modules\express\lib\router\route.js:137:13)
    at Route.dispatch (D:\juice-shop-11.0.1_node12_win32_x64\juice-shop_11.0.1\node_modules\express\lib\router\route.js:112:3)
    at Layer.handle [as handle_request] (D:\juice-shop-11.0.1_node12_win32_x64\juice-shop_11.0.1\node_modules\express\lib\router\layer.js:95:5)
    at D:\juice-shop-11.0.1_node12_win32_x64\juice-shop_11.0.1\node_modules\express\lib\router\index.js:281:22
    at Function.process_params (D:\juice-shop-11.0.1_node12_win32_x64\juice-shop_11.0.1\node_modules\express\lib\router\index.js:335:12)
    at next (D:\juice-shop-11.0.1_node12_win32_x64\juice-shop_11.0.1\node_modules\express\lib\router\index.js:275:10)
    at D:\juice-shop-11.0.1_node12_win32_x64\juice-shop_11.0.1\routes\verify.js:143:3
    at Layer.handle [as handle_request] (D:\juice-shop-11.0.1_node12_win32_x64\juice-shop_11.0.1\node_modules\express\lib\router\layer.js:95:5)
    at trim_prefix (D:\juice-shop-11.0.1_node12_win32_x64\juice-shop_11.0.1\node_modules\express\lib\router\index.js:317:13)
    at D:\juice-shop-11.0.1_node12_win32_x64\juice-shop_11.0.1\node_modules\express\lib\router\index.js:284:7
    at Function.process_params (D:\juice-shop-11.0.1_node12_win32_x64\juice-shop_11.0.1\node_modules\express\lib\router\index.js:335:12)
    at next (D:\juice-shop-11.0.1_node12_win32_x64\juice-shop_11.0.1\node_modules\express\lib\router\index.js:275:10)
    at D:\juice-shop-11.0.1_node12_win32_x64\juice-shop_11.0.1\routes\verify.js:74:3
    at Layer.handle [as handle_request] (D:\juice-shop-11.0.1_node12_win32_x64\juice-shop_11.0.1\node_modules\express\lib\router\layer.js:95:5)
    at trim_prefix (D:\juice-shop-11.0.1_node12_win32_x64\juice-shop_11.0.1\node_modules\express\lib\router\index.js:317:13)
    at D:\juice-shop-11.0.1_node12_win32_x64\juice-shop_11.0.1\node_modules\express\lib\router\index.js:284:7
    at Function.process_params (D:\juice-shop-11.0.1_node12_win32_x64\juice-shop_11.0.1\node_modules\express\lib\router\index.js:335:12)
    at next (D:\juice-shop-11.0.1_node12_win32_x64\juice-shop_11.0.1\node_modules\express\lib\router\index.js:275:10)
    at logger (D:\juice-shop-11.0.1_node12_win32_x64\juice-shop_11.0.1\node_modules\morgan\index.js:144:5)
    at Layer.handle [as handle_request] (D:\juice-shop-11.0.1_node12_win32_x64\juice-shop_11.0.1\node_modules\express\lib\router\layer.js:95:5)
    at trim_prefix (D:\juice-shop-11.0.1_node12_win32_x64\juice-shop_11.0.1\node_modules\express\lib\router\index.js:317:13)
    at D:\juice-shop-11.0.1_node12_win32_x64\juice-shop_11.0.1\node_modules\express\lib\router\index.js:284:7
    at Function.process_params (D:\juice-shop-11.0.1_node12_win32_x64\juice-shop_11.0.1\node_modules\express\lib\router\index.js:335:12)

🌳 Your Environment

v12.18.0
6.14.4

Additional Information

Tried on
Chrome: 83.0.4103.116
FF: 77.0.1

[github-actions]

Thanks a lot for opening your first issue with us! 🧡 We'll get back to you shortly! ⏳ If it was a Support Request, please consider asking on the community chat next time! 💬

[bkimminich]

That error path is only taken when you are not logged in. For the profile page the token cookie is expected to match one known on the server. Maybe your token expired? If you log out and log in immediately afterwards and then visit the profile page, do you see the profile? When you then run the CSRF attack, it still errors out?

I'll try it later today or tomorrow as well to verify.

[bkimminich]

I get the same behavior you describe, but in the HTML Editor I can see

Did you try with an older browser to make sure it's not an issue similar to #1340?

[bkimminich]

This is what Firefox 76 has to say when pasting the payload:

[bkimminich]

Please check if the attack is possible with an older browser version. I'll also add a note to the solution that this won't work with newer browsers.

[headfullofciphers]

Same Issues with Chrome and Fireforx.
With Microsoft Edge 42.17134.1098.0 SEC7120: [CORS] error

Tried with opera 57.0.3098.91 (number taken by guess, relase date 06.12.2018 ) and get ERR_BLOCKED_BY_RESPONSE

Thanks for confirming the issue ;)

[bkimminich]

Even IE11 doesn't play along...

[bkimminich]

Yeah, maybe it's actually something fixed on the HTML Editor's side... I tried Firefix 59 (2018) and it also didn't work. Will try Firefox 31 (2015) next, and if that doesn't work, then maybe the challenge is actually broken.

[bkimminich]

Ooookay, Firefox 31 was too old to run Juice Shop, but Firefox 50 did the trick. It successfully changes the username into CSRF via the payload from the solution. However: The challenge is not recognized as solved, because it seems the Origin header is not sent by the HTML Editor site. So, the challenge is broken in a way, just not completely... 😅

[bkimminich]

Okay, Firefox 50 updated itself to 56, but the attack still works. It seems instead of the Origin header just the Referer is being sent to the Juice Shop server. I'll update the challenge to accept either of both as a trigger for the challenge solution. This should then fix the missing notification.

[Sybrid203]

Triggers of solution of CSRF challenge on Origin or Referrer header not working.

[niloct]

The notification is still missing on 12.0.1 even when the username is successfully changed via CSRF from the htmledit.squarefree.com site.

[bkimminich]

But you are both using a sufficiently old browser, @Sybrid203 and @niloct? Which versions exactly, so we can try to reproduce it?

[Sybrid203]

But you are both using a sufficiently old browser, @Sybrid203 and @niloct? Which versions exactly, so we can try to reproduce it?

@bkimminich
Actually no, I was using a recent version. I just thought the fix is to trigger the completion of the challenge through the referrer/origin header, which is not working on a recent version of Chrome. Why is that though? How are the browsers blocking these CSRF attempts, and why does this work on older versions of these browsers?

[niloct]

@bkimminich @Sybrid203 installing firefox 50 did the trick. I spent more than an hour trying to make current Chrome/Firefox/Safari work on my mac. Latest Safari almost worked (can remove CORS block from Developer menu), it was missing a X-Frame-Options header from the app [Error] Refused to display 'http://127.0.0.1:3000/profile' in a frame because it set 'X-Frame-Options' to 'SAMEORIGIN'..

Perhaps if the app set this it could work ? I just gave up, but got the challenge accepted.

[github-actions]

This thread has been automatically locked because it has not had recent activity after it was closed. 🔒 Please open a new issue for regressions or related bugs.