CSRF while creating group albums with public rights

INDEX

· What is CSRF

· Introduction about functionality

· Steps: Proof of Concept

· Impact

· How to fix

· What is CSRF (Cross-Site Request Forgery): CSRF is an attack that forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated. With the help of social engineering (like sending a link via email/chat), an attacker may force the user of a web application to execute actions of the attacker’s choice.

This occurs when the web applications cannot make a difference whether the request was initiated by the legit user or by a third-party site.

· Introduction about functionality: I am working on website, let’s call it “www.somesite.com”. The following endpoint “https://<URL>/action.php?mode=createalbumgroup” is used to create a group album with public access.

Look at this request and you will find out that this request doesn’t have any CSRF checks /tokens.

Image for post
Image for post

whatsoever, which allows a malicious user to create group album in your a/c.

· Steps: Proof of Concept

  1. Click on album icon and select “Add to group”, while burp intercept is on. Intercepted request is shown in the image below.
Image for post
Image for post

2) While checking the intercepted the request, I saw 4 parameters travelling in body

· alid = album id

Image for post
Image for post

· albumgroupname = which I took same as the intercepted request.

· albumgroupname = Name of the album that may be given by attacker, in this case I choose album name as “TRACKED”.

· albumgroupid = which I took default as intercepted request.

3) Taking reference of above request, I have created the CSRF PoC which have all the parameters is in hidden state as shown in below image and save this as csrf.html.

Image for post
Image for post

4) Open this file in the browser and click on the submit button.

5) As I open “somesite.com” in new tab and I can see the album “TRACKED ” has been created.

Image for post
Image for post

· How to fix:

1. Add a CSRF token to verify that the request is coming from a legit user.

2. You can also verify the request using the referrer header.

3. We can use same site cookie attribute also .

Written by

Security enthusiast working to secure web for others https://twitter.com/BoredSecEngg

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store