search

madhavan-raja / furdb

A minimal Database Management System that prioritizes storage space usage and fast lookup/query times.
https://crates.io/crates/furdb
GNU General Public License v3.0
13 stars 0 forks source link

CSRF(cross-site request forgery) in create database API request in Firefox. #3

Open NetSecRussia opened 5 months ago

NetSecRussia commented 5 months ago

Describe the bug There is a CSRF vulnerability in the REST API in firefox. If you run FurDB locally, any site you open in Firefox can create a new database using the REST API.

To Reproduce

  1. Start furdb locally using command furdb --workdir ./furdb serve --port 5678
  2. Open https://jsfiddle.net/ in firefox
  3. Enter javascript fetch("http://localhost:5678/db",{method:"post"})
  4. Hit run.

Expected behavior No databases have been created.

Current behavior A new database named "db" has been created.

Reason Firefox does not offer full Cross-Origin Resource Sharing (CORS) protection for POST requests. Link

Some requests don't trigger a CORS preflight. ... POST ... The motivation is that the

element from HTML 4.0 (which predates cross-site fetch() and XMLHttpRequest) can submit simple requests to any origin, so anyone writing a server must already be protecting against cross-site request forgery (CSRF).

NetSecRussia commented 5 months ago

Firefox log:

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://localhost:5678/db. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing). Status code: 409.

Only reading response is prohibited.

furdb log

127.0.0.1 "POST /db HTTP/1.1" 201 87 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:124.0) Gecko/20100101 Firefox/124.0" 0.000347