search

piercy / BeatFollowerPlugin

A BeatSaber plugin for keep track of your in game activities and recommending maps to other people.
https://www.beatfollower.com
11 stars 1 forks source link

Possible Clickjacking and CSRF on BeatFollower.com #26

Open 0x0verflow opened 4 years ago

0x0verflow commented 4 years ago

Clickjacking

Due to the website not sending theX-Frame-Options: sameorigin header, it is possible to manipulate users in giving information about their account to an attacker. Just add X-Frame-Options: sameorigin via e.g. modheader and this issue would be resolved.

CSRF

Your website doesn't use CSRF-Tokens which could lead to account-takeover attacks. Please implement CSRF tokens and this problem should be resolved as well. Here a guide on how to do this: https://stackoverflow.com/questions/5207160/what-is-a-csrf-token-what-is-its-importance-and-how-does-it-work

piercy commented 4 years ago

I'll look into these but neither of these seem like valid attack vectors for anything serious. This is the problem with automated tools, they don't actually explain much or how its a valid attack vector. Risk wise both of the things mentioned here I would put at incredibly low on the scale of things.

it is possible to manipulate users in giving information about their account to an attacker

Everything on BF is public, so there isn't anything to give out. Authentication is at twitch level, so that cannot be manipulated through BF.

could lead to account-takeover attacks

Again, all the authentication happens on twitch. I might implement CSRF to the api key calls, but this is more of a "should probably do that" than "omg, can be hacked" kind of issue.

If you could please direct all future "security issues" to info@beatfollower.com as i'd like to keep vulnerabilities from being easy to abuse. Anything serious i would aim to fix very quickly but i'd prefer not to make it easy for hackers but giving them the information in a public disclosure.

piercy commented 4 years ago

Just to add, this isn't me giving any permission of any sorts for penetration testing. We don't offer any bug bounties or similar and by engaging in these conversations, i'm not giving permission for you (or anyone) to attempt anything against our servers or services... even if the intentions are noble. Running penetration tests on a live websites can be dangerous and should be carefully managed by the people running the websites.

0x0verflow commented 4 years ago

I haven't run any tests against BeatFollower, these are vulnerabilities you can see without running anything actively against the site. X-Frame-Options is a header - which means I can see the vulnerability in my browsers log. CSRF tokens should be in every request. When looking for a fix for my prevous problem in #23 you just noticed it. I didn't manipulate anything which could lead to an attack.

To declare this once again: I'm not going to do any active pentesting on your site as I already mentioned in #23. I respect you not wanting me (or anyone else) to do any testing on your site - so I wont.