CSRF on Change Password

The application is vulnerable to CSRF attack.
URL : https://subrion.org/
Affected Application Version: Subrion CMS 4.1.5
The attacker can change the administrator password by sending a crafted request to the application on change password field.
The application is not validating the source origin of the request is coming from also CSRF token is not implemented.
Proof of concept as given below
  1. Crafted Code of Change Password of Administrator User.
  2. Crafted Request to Change the Password of Administrator.
  3. After Submitting the Request Password is Changed Successfully 

    Recommendation:

    · Apply CSRF tokens also known as X-XSRF tokens. Just applying CSRF tokens cannot fix the CSRF vulnerability. Make sure there is proper implementation of CSRF tokens as per the following rules.

    1. Apply request-based CSRF tokens instead of session-based CSRF tokens.
    2. Make sure, CSRF token leakage is not possible on the application. As the attacker might use leaked/unused CSRF tokens to perform an attack.
    3. To avoid token leakage, send the CSRF token in the separate header or in the POST body of a request, not in the cookie of the request.
    4. Make sure the application does not accept blank value as a CSRF token.
    5. Make sure the application validates the actual token, not the length of the CSRF token. Many application just validates the length of the CSRF token. The attacker will calculate the length of the CSRF token and will use any random token with the same length as a CSRF token to perform an attack.
    6. If any request without valid CSRF token comes, kick out the user out of the application.

    ·       Use the CAPTCHA where the application has crucial functions such as change password, fund transfers, add/delete something from the application, approval of requests, changing privileges of the other users in the portal and so on.


Comments

Post a Comment

Popular posts from this blog

Image
I have found Reflected Cross-Site Scripting on WolfCMS (0.8.3.1) Stable Version Vulnerable parameter is "Create New File" and "Create New Directory" It does not sanitize "Create New File" and "Create New Directory" input box from 'files' Tab and it is possible to execute a Cross-Site Scripting XSS attacks. Payload Used : <script>alert(0);</script> Please find the attached screenshot for proof of concept. Additional information Wolf CMS version: 0.8.3.1 DB type and version: MySQL - 10.1.9-MariaDB HTTP server type and version: PHP/5.6.15 When you fix the bug, please, can you include my name in the release notes when the bug will be corrected?  Name : Tushar  Kadam Email  : kadatushar@gmail.com
Read more