Cross-Site Request Forgery (CSRF) in erudika/scoold
Jun 20th 2021
/voteup/question/* endpoint does not have a CSRF protection. This could be exploited by an attacker to manipulate votes in a question.
🕵️♂️ Proof of Concept
An attacker creates the following web page and sends a link to a logged in user.
// PoC.html <html> <head> <meta name="referrer" content="no-referrer"> </head> <body> <a href="https://live.scoold.com/voteup/question/1279016709126098944">Click Here</a> </body> </html>
When an authenticated user clicks the link, a vote is made on behalf of the user without the user actually knowing.
This attack could be easily prevented by requiring a valid CSRF token to validate the click.