Cross-Site Request Forgery (CSRF) in liangliangyy/djangoblog
Jan 17th 2022
Hi there, I would like to report a Cross Site Request Forgery in djangoblog source code. Cross-site request forgery (also known as CSRF) is a web security vulnerability that allows an attacker to induce users to perform actions that they do not intend to perform. It allows an attacker to partly circumvent the same origin policy, which is designed to prevent different websites from interfering with each other. This is due to the use of GET request in refresh cache url.
Proof of Concept
- Install a local instance of djangoblog
- Access this link
/refreshand see that all cache is cleared.
- In real attack scenario, the attacker would feed this link to django blog admin and when they clicks it, the cache is cleared.
This vulnerability is capable of forcing the admin to clear djangoblog cache against his/her will.