Hello,
I am opening a new issue here about a critical vulnerability I found since "Security" tab in your Github repo is not setup for bug submissions.
Bug: Missing CSRF Token leads to 1-click Account Takeover
Description: An attacker can successfully takeover accounts (mass takeover is possible too), by only forcing a user to visit a website (so only 1 interaction is required by the user). After visiting the website, 4 POST requests will be automatically sent by user to the webapp to change his/her data such as: username, email address, password, profile picture without his/her knowledge.
Please find attached the HTML file as a PoC for this demo. Once a user opens this HTML file (hosted as a website or a file, doesn't matter), the account will be changed with the following data:
Username: hacked
Password: hacked
Email: [email protected]
Profile picture as demonstrated in the attached video.
I also would like to mention another vulnerability which lead to this critical one.
When a user wants to change the password, he basically sends the following POST Request:
POST /app/passwordSave HTTP/2
Host: share.catrob.at
Cookie: cookie_values_here
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 83
Origin: https://share.catrob.at
Referer: https://share.catrob.at/app/user
oldPassword=mystrongpassword&newPassword=mynewpassword&repeatPassword=mynewpassword
There are clearly 3 POST parameters (oldPassword, newPassword and repeatPassword). The problem relies on oldPassword parameter which is not being checked if it is missing or not. So basically you can remove that parameter and you can setup a new password without knowing your old one.
POST /app/passwordSave HTTP/2
Host: share.catrob.at
Cookie: cookie_values_here
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 83
Origin: https://share.catrob.at
Referer: https://share.catrob.at/app/user
newPassword=mynewpassword&repeatPassword=mynewpassword
This bug was also implemented in the HTML PoC, leading to this 1-click Account Takeover vulnerability.
Mitigation
I strongly advise to implement Anti-CSRF Token when a user is changing the mentioned data.
Make sure that oldPassword is present in the HTTP Request when changing the password.
Video PoC:
https://user-images.githubusercontent.com/37262788/168836544-be1e4737-a872-45df-b4ad-8828a25ec2e5.mp4
HTML PoC (Please change the extension to .html, since Github doesn't allow uploading HTML files)
catrobat_csrf_html_file.txt
Please let me know if more information is needed,
Kind regards!
.