Cross-Site Request Forgery (CSRF) in babybuddy/babybuddy
Jun 18th 2021
user/reset-api-key/endpoint does not have a CSRF protection. This could be exploited by an attacker to change the API key without the admin not actually requesting for a change.
🕵️♂️ Proof of Concept
For the following attack to work, the admin (victim) must be logged into their account. The victim is then tricked by the attacker to visit a malicious page containing the following HTML.
<html> <body> <a href="http://demo.baby-buddy.net/user/reset-api-key/">Click Here</a> </body> </html>
When the user clicks on the link, the API Key is reset without actually the victim requesting for a change.
Since the API key is changed without the user requesting for it, it can affect user's experience and might cause failure of other applications utilizing this API Key.
This attack could be easily prevented by requiring a valid CSRF token to validate the click.