📜 Description

Cross-site request forgery (also known as CSRF) is a web security vulnerability that allows an attacker to induce users to perform actions that they do not intend to perform (using form submissions). It allows an attacker to partly circumvent the same origin policy, which is designed to prevent different websites from interfering with each other.

In your application, CSRF vulnerability occurs when an administrator click on the malicious link and logs in.

🕵️ Proof of Concept

1. Send a malicious link or redirect the admin to : https://demo.froxlor.org/index.php?script=admin_domains.php&qrystr=%26page%3Dsslcertificates%26action%3Ddelete%26id%3D1 (id=1).
2. The admin logs in and automatically delete the SSL certificate with the ID n°1.

🔐 Mitigations

The most robust way to defend against CSRF attacks is to include a CSRF token within relevant requests. The token should be:

• Unpredictable with high entropy, as for session tokens in general.
• Tied to the user's session.
• Strictly validated in every case before the relevant action is executed.

Example of an HTML form that uses a CSRF token :

<form action="/profile" method="POST">
    <input type="text" name="name" value="">
    <input type="email" name="email" value="">
    <input type="hidden" name="csrf" value="d192140e2f1db42d60e508731b4095c08447c985c34a3b7a580e88e5c8b1d9a5">
</form>

📚 References

• PortSwigger - Cross-site request forgery (CSRF)
• PortSwigger - CSRF Tokens

Impact

In a successful CSRF attack, the attacker causes the victim user to carry out an action unintentionally. For example, this might be to change the email address on their account, to change their password, or to make a funds transfer. Depending on the nature of the action, the attacker might be able to gain full control over the user's account.

In your application, the CSRF attack causes a SSL certificate deletion, this can be harmful to the availability of applications.