CSRF while creating group albums with public rights
INDEX
· What is CSRF
· Introduction about functionality
· Steps: Proof of Concept
· Impact
· How to fix
· What is CSRF (Cross-Site Request Forgery): CSRF is an attack that forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated. With the help of social engineering (like sending a link via email/chat), an attacker may force the user of a web application to execute actions of the attacker’s choice.
This occurs when the web applications cannot make a difference whether the request was initiated by the legit user or by a third-party site.
· Introduction about functionality: I am working on website, let’s call it “www.somesite.com”. The following endpoint “https://<URL>/action.php?mode=createalbumgroup” is used to create a group album with public access.
Look at this request and you will find out that this request doesn’t have any CSRF checks /tokens.
whatsoever, which allows a malicious user to create group album in your a/c.
· Steps: Proof of Concept
- Click on album icon and select “Add to group”, while burp intercept is on. Intercepted request is shown in the image below.
2) While checking the intercepted the request, I saw 4 parameters travelling in body
· alid = album id
· albumgroupname = which I took same as the intercepted request.
· albumgroupname = Name of the album that may be given by attacker, in this case I choose album name as “TRACKED”.
· albumgroupid = which I took default as intercepted request.
3) Taking reference of above request, I have created the CSRF PoC which have all the parameters is in hidden state as shown in below image and save this as csrf.html.
4) Open this file in the browser and click on the submit button.
5) As I open “somesite.com” in new tab and I can see the album “TRACKED ” has been created.
· How to fix:
1. Add a CSRF token to verify that the request is coming from a legit user.
2. You can also verify the request using the referrer header.
3. We can use same site cookie attribute also .
