CSRF Logout in aptabase/aptabase
Aug 5th 2023
Bad actor can send to victims link (ie. obfuscated) with payload /signout and when victims will use it - can change the state of user (logged in/logged out).
Proof of Concept
Payload: https://eu.aptabase.com/api/_auth/signout Repro steps: As logged in user https://eu.aptabase.com/ open new browser tab and use, paste link https://eu.aptabase.com/api/_auth/signout , see logged out, refresh previous tab - the same Logged out.
Payload example: Please click<a href="https://eu.aptabase.com/api/_auth/signout "> for a SWAGpack from us.
Proposed remediation: CSRF tokens; POST instead of GET for endpoint
Changing the state of user (logged in -> logged out).