search

cedricbonhomme / freshermeat

An open source software directory and release tracker.
https://open-source-security-software.net
GNU Affero General Public License v3.0
22 stars 2 forks source link

Security Vulnerability Report: CSRF protection missing #48

Closed FHantke closed 3 months ago

FHantke commented 3 months ago

Hello freshermeat developers,

We are a cybersecurity research group from the CISPA Helmholtz Center for Information Security and Ca’ Foscari University of Venice. We recently conducted an analysis of the session management in web applications on GitHub as part of our research. We have discovered a security vulnerability in your code that we believe requires your attention.

Vulnerability Description:

With our analysis, we have identified that your application is not using CSRF protected FlaskForms on all sensitive endpoints. For example, the delete_user view is not protected, allowing an attacker to craft a CSRF payload that may force a target admin user to delete an attacker's chosen user. This even works if you use lax SameSite cookies, because the endpoint is implemented on top of a GET request.

Example exploit:

<html>
  <body>
    <form action="https://<domain>/user/delete/<user_id>" method="GET">
      <input type="submit" value="Submit request" />
    </form>
    <script>
      history.pushState('', '', '/');
      document.forms[0].submit();
    </script>
  </body>
</html>

Recommendation for Mitigation:

We recommend using flask_wtf’s CSRFProtect in your application as it activates CSRF protection globally. You can still exclude individual views if necessary.

https://flask-wtf.readthedocs.io/en/0.15.x/csrf/#setup

We hope this notification helps improve your security.

In addition to addressing this issue, we are interested in understanding how this vulnerability was introduced in the code or why it has remained unchanged. This information can provide valuable insights into common security pitfalls and help us all improve security practices in the future. Could you share any background on this aspect? We would greatly appreciate your input on this matter. Thank you!

Should you have further questions or comments on this, feel free to answer this thread or reach out to florian.hantke@cispa.de.

Kind regards, Florian Hantke

cedricbonhomme commented 3 months ago

Hi,

thank you for the report.

Generally I rely on the security of Flask-WTF against CSRF attacks when I am dealing with forms. And not for simple (GET) views that are not even used with AJAX requests. But I see your point.

I think that your example of exploit could be simply a link. A form is not needed. Indeed if an admin clicks (on a random website) on a link with a href value to 'https:///user/delete/' this will trigger the deletion of the account. And to be 100% honest this is outside the security model in this context. This is hard to prevent.

Anyway, I will use Freshermeat to try your recommendation: using CSRF protection not only when using forms. If it's convincing, I'll update a couple of other projects. Thank you !