Closed huntr-helper closed 3 years ago
This pull request is being automatically deployed with Vercel (learn more).
To see the status of your deployment, click below or on the icon next to each commit.
π Inspect: https://vercel.com/knownasilya1/strider/3121f5wf5
β
Preview: https://strider-git-fork-418sec-1-other-strider.knownasilya1.vercel.app
Thanks for this, looks good!
https://huntr.dev/users/arjunshibu has fixed the Cross-site Request Forgery (CSRF) vulnerability π¨. Think you could fix a vulnerability like this?
Get involved at https://huntr.dev/
Q | A Version Affected | ALL Bug Fix | YES Original Pull Request | https://github.com/418sec/strider/pull/1 Vulnerability README | https://github.com/418sec/huntr/blob/master/bounties/other/strider/1/README.md
User Comments:
π Metadata *
Bounty URL: https://www.huntr.dev/bounties/1-other-strider
βοΈ Description *
Strider
is an Open Source Continuous Deployment / Continuous Integration platform. It is written in Node.js and Ember.js and uses MongoDB as a backing store. This platform is vulnerable toCross-Site Request Forgery (CSRF)
. It allowes an attacker to takeover accounts, privillege escalation and accounts deletion.π» Technical Description *
CSRF Protection is implemented using
csurf middleware
.π Proof of Concept (PoC) *
Change email
Change password
Privilege escalation
Account deletion
π₯ Proof of Fix (PoF) *
app
client
Before fix:
After fix:
π User Acceptance Testing (UAT)