Cross-Site Request Forgery (CSRF) in tuhinshubhra/extanalysis


Reported on

Apr 3rd 2020


The ExtAnalysis project is vulnerable against various CSRFs, that could lead to loss of functionalities and placement of malicious files in arbitrary directories without knowledge of the victim.

Proof of Concept (Credit: Mik317)

  1. Download the git project and run the server through the python2 command
  2. Insert on a malicious host the following code
  <!-- Downloads the Gmass extension in the `Desktop` folder. Fix: avoid `../`   CSRF token -->
  <!-- Deletes all the log without knowledge of the victim. Fix: add CSRF token -->
  <img src="" />
to join this conversation