Cross-Site Request Forgery (CSRF) in babybuddy/babybuddy

Valid

Reported on

Jun 18th 2021


✍️ Description

The user/reset-api-key/endpoint does not have a CSRF protection. This could be exploited by an attacker to change the API key without the admin not actually requesting for a change.

🕵️‍♂️ Proof of Concept

For the following attack to work, the admin (victim) must be logged into their account. The victim is then tricked by the attacker to visit a malicious page containing the following HTML.

<html>
<body>
<a href="http://demo.baby-buddy.net/user/reset-api-key/">Click Here</a>
</body>
</html>

When the user clicks on the link, the API Key is reset without actually the victim requesting for a change.

💥 Impact

Since the API key is changed without the user requesting for it, it can affect user's experience and might cause failure of other applications utilizing this API Key.

Prevention

This attack could be easily prevented by requiring a valid CSRF token to validate the click.

Occurences

References

Christopher Charbonneau Wells validated this vulnerability 6 months ago
Oomb has been awarded the disclosure bounty
The fix bounty is now up for grabs
Christopher Charbonneau Wells confirmed that a fix has been merged on 1689bc 5 months ago
Christopher Charbonneau Wells has been awarded the fix bounty