am0o0
commented
3 years ago 
Closed am0o0 closed 3 years ago
am0o0
commented
3 years ago
Volmarg
commented
3 years ago Hello,
Not able to respond to everything up to date.
You can send them to the personal.management.system.pms@gmail.com
am0o0
commented
3 years ago yah sure just in huntr.dev you already can manage disclosures easily can i send the disclosures link to this email for validate them after checking?
Volmarg
commented
3 years ago I did received some mail but contains only links to the main page. Please provide direct links to issue.
am0o0
commented
3 years ago https://huntr.dev/bounties/6bf917d0-8790-4c0d-91d9-22ab4d5f49b3/ https://huntr.dev/bounties/e1a79925-7d7f-4752-ad5b-b34a6aabc57f/ https://huntr.dev/bounties/35255fb8-6176-4550-a31a-9e11391fa31f/ https://huntr.dev/bounties/2a89e8d0-e411-4659-a7ad-b10e7526a182/ https://huntr.dev/bounties/789a6422-ad67-476d-8940-23695db07b6a/ https://huntr.dev/bounties/90b2e982-f71d-4d42-afad-0789187ed1fe/
https://huntr.dev/bounties/60900be9-5bd3-48ee-940f-384f858ee139/ https://huntr.dev/bounties/79d84fa8-df8a-4a98-9d37-3e677efdc706/ https://huntr.dev/bounties/b8bbcb26-f76c-4383-8663-07665ca52e9b/ https://huntr.dev/bounties/6e031de3-5f64-4ace-9b5a-588d96d1d2f0/ https://huntr.dev/bounties/4109dfd4-4c9e-4ecd-8ad0-afcf716047d7/
https://huntr.dev/bounties/3a96aa57-b8ac-4ade-abde-407541fbca01/ https://huntr.dev/bounties/36a9a1be-9850-42c6-b28a-e9721169a512/
On Sun, Jul 25, 2021, 16:13 Dariusz @.***> wrote:
I did received some mail but contains only links to the main page. Please provide direct links to issue.
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/Volmarg/personal-management-system/issues/70#issuecomment-886189348, or unsubscribe https://github.com/notifications/unsubscribe-auth/ASMGCR56TPVBKXQXN222SWLTZP2GXANCNFSM5AYGRD4Q .
am0o0
commented
3 years ago im so sorry i send these again to your gmail.
Volmarg
commented
3 years ago That's not it. It's blurry - I will need the magic link that You ppl have there.
am0o0
commented
3 years ago You must login with your GitHub account first, I guess there is only one link , let me ask the Huntr team.
am0o0
commented
3 years ago Hi again my friend, If there is any problem just tell me to solve them.
am0o0
commented
3 years ago Hi again dear Volmarg. I apologize to bothering you with many messages in this issue. If you think there is no impact for these CSRF vulnerabilities that I found. please tell me to explain more exactly for you your friend Amammad.
Volmarg
commented
3 years ago The thing is I won't register there - got personal reasons. That's why I ask for magical links. Just ask them how to generate it maybe cuz I'v received these already few times.
But I don't really think of any csrf issue, as the login form has the csrf protection, and You need to pass through it to go further, besides this should never happen as the project should not be available over the internet (that's the idea of it), nor should it be presented to other ppl.
So I doubt if there is any CSRF problem with my way of thinking.
am0o0
commented
3 years ago I send your message for Huntr team and after which they answer, I give you the results or they are themselves talking with you for the Local issue that already you said about it, I can sure you If The admin of application logged in within browser (whether local or webhosting) then this is enough to the attacker to know the IP that is maybe 127.0.0.1 or public IP or the domain name that is maybe localhost or somethings else to attack with CSRF on admins (users)
am0o0
commented
3 years ago Hey Volmarg, how are you my friend ?
If don't have time for fixing these vulnerabilities, I can do it for you Or the easy way is that set all cookies in your app with Strict attribute then all of your CSRF problems in your app will be fixed.
Volmarg
commented
3 years ago Hey, saw that issue link. I hardly understand what You mean by that cookie. But I understand the issue, I won't mind having fix introduced, I can check it later on when rdy.
am0o0
commented
3 years ago SOP indicate that we can write by default and so with POST and GET methods we can attack with CSRF if there isnt any CSRF token or any SameSite attribute for cookies
CORS is for interactive situations and also for Methods that browsers use preflight (OPTIONS method ) for it, so for simple POST and GET CORS can't do any protection.
The easiest way for developers and specially self-hosted applications is that set SameSite attribute of cookies to Lax or Strict and after that nobody able to use your cookies with any cross-site requests
Also I ask you( really ask you) if you accept these vulnerabilities just validate them and then when you have enough time can fix them also and until that time these CSRF will not disclose.
am0o0
commented
3 years ago And also according to your explanations in huntr.dev comments, I'm so sorry for my bad report that didn't say to you to how reproduce attack with clear steps.
Also as you get the point yourself, the CSRF vulnerability is a CWE [1] signed vulnerabilities and in all big bug bounty programs accepted from bug hunters.
Again accept my apologize for taking for valuable time.
Volmarg
commented
3 years ago Nah no problem. Let me know if You want to handle that cookie thingy.
am0o0
commented
3 years ago I just find out you use js-cookie for managing your nice application cookies and I haven't any experience in Laravel or js-cookie so just I find for you this :
https://github.com/js-cookie/js-cookie#samesite
if you see this reference you can see in their Example that how simply can set cookie SameSite attribute to Strict
excuse me for taking your time.
Volmarg
commented
3 years ago I found a time today to sit over it and I found a reason to rather reject this.
I mean You are correct with what You wrote - up to some point.
So:
But:
So my conclusion here is that if someone has Session or csrf at this point - then no protection will help You. Also "origin-self" etc. makes no sense now because You are "self" now. I mean - the remote attack makes no sense here anymore beacause You do already have the access.
I will close this, as that's an overimplementation here. I appriciate pointing possible issue but the more I think of it the less this kind of check makes sense for me:
am0o0
commented
3 years ago Hello dear, in here :
the third point totally incorrect, again apologize for my bad explanation about CSRF attacks. each CSRF token only and only protect the page that already exist on that page, this mean if you set CSRF token for login page ( that login page no need any CSRF token) you can't protect other pages after login. according to my PoC video I am able to delete any contact ( here contacts with id 4 and 5 named dorris and tira and also can be included all ids) just with visiting a site that include my payload (attacker site) and also here the PoC for testing(you can change the contacts id in url that mentioned in PoC) CSRF_POC.txt for more read you can use this useful link: https://portswigger.net/web-security/csrf
am0o0
commented
3 years ago Hello sir, can i ask you to give me any feedback, be free and ask me any question that hard for you to get it or hasnt enough time to work on it.... I reports to many CSRF to many open source applications from small ones to big ones, you can see them in my huntr.dev profile and your nice application is the first that i record a video for maintainer to To give you this reassurance that vulns are correct so please dont have doubt that i want just come to report some vulns to get some bounty.
with regards, amammad.
am0o0
commented
3 years ago Dear Volmarg Can I ask you to check again the PoC video that I send here ? Best regards, Amammad.
Hi dear Dariusz, I am Amammad a bug bounty hunter from Huntr.dev I find some vulnerabilities in this repository and I just want to ask you look at those and if they are correct just validate them so that I can assume that I was not wrong after validation the disclosure wait for fix pull request and until that the vulnerabilities will not be shown. with regards , your little friend Amammad.