Cross Site Request Forgery in Release all grades feature in autolab/autolab
Apr 24th 2022
Hi there, there is a Cross site request Forgery in your Release all grades feature. This is due to the release all grades action is using GET request method. Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated. With a little help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker’s choosing. If the victim is a normal user, a successful CSRF attack can force the user to perform state changing requests like transferring funds, changing their email address, and so forth. If the victim is an administrative account, CSRF can compromise the entire web application.
Proof of Concept
- Install autolab and log in as admin
- Access the link
- See that all grade are released
We have seen your report and are able to reproduce the behavior that can cause the CSRF. We are working on a fix and will get back on we have it ready to go!
CSRF vulnerability fixed by changing request type from GET to POST and adding rails CSRF protection via protect_from_forgery: https://github.com/autolab/Autolab/pull/1512