Skip to content
This repository was archived by the owner on Dec 1, 2025. It is now read-only.

Security Fix for POST-based CSRF "project wide" - huntr.dev#810

Open
huntr-helper wants to merge 3 commits intosdelements:masterfrom
418sec:master
Open

Security Fix for POST-based CSRF "project wide" - huntr.dev#810
huntr-helper wants to merge 3 commits intosdelements:masterfrom
418sec:master

Conversation

@huntr-helper
Copy link

@huntr-helper huntr-helper commented Sep 4, 2020

https://huntr.dev/users/alromh87 has fixed the POST-based CSRF "project wide" vulnerability 🔨. alromh87 has been awarded $25 for fixing the vulnerability through the huntr bug bounty program 💵. Think you could fix a vulnerability like this?

Get involved at https://huntr.dev/

Q | A
Version Affected | ALL
Bug Fix | YES
Original Pull Request | 418sec#1
Vulnerability README | https://github.com/418sec/huntr/blob/master/bounties/npm/lets-chat/1/README.md

User Comments:

📊 Metadata *

Bounty URL: https://www.huntr.dev/bounties/1-npm-lets-chat/

⚙️ Description *

Fix CSRF by requiring csrf token for authenticated post routes

💻 Technical Description *

CSRF Token is created during loggin and stored in session, then the token is sent and validated during authorized POST request, if correct token is not provided reuqest is denied.

🐛 Proof of Concept (PoC) *

Install the chat
Create a new user and login
Create a malicious file containing the following CSRF PoC:

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://localtest.me:5000/account/profile" method="POST">
      <input type="hidden" name="display&#45;name" value="HACKED" />
      <input type="hidden" name="first&#45;name" value="HACKED;" />
      <input type="hidden" name="last&#45;name" value="HACKED" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

Victim opens the crafted file) and it's name/display name are changed:

Captura de pantalla de 2020-08-31 23-31-47

Captura de pantalla de 2020-08-31 23-32-30

POC for regenerating keys:

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://localtest.me:5000/account/token/generate" method="POST">
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

Opening this the api key created before will be deleted and another one created (invalidates previously connected applications)
Captura de pantalla de 2020-08-31 23-32-15

🔥 Proof of Fix (PoF) *

Request are now flagged as Unauthorized

Captura de pantalla de 2020-08-31 23-30-29
Captura de pantalla de 2020-08-31 23-30-14

👍 User Acceptance Testing (UAT)

Application continue working normally:

Captura de pantalla de 2020-08-31 23-41-35

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@huntr-helper @alromh87 @JamieSlome