Open dokzlo13 opened 6 years ago
recoilme
commented
6 years ago @dokzlo13 Thanks for detailed analyses! It's huge work, thank you! All of this method required authorization and will not work without authentification on one hand and i need simple api for all of these methods on another hand: https://github.com/recoilme/tgram/issues/108
May you please suggest how save api and don't get anyway for attack via csrf?
dokzlo13
commented
6 years ago @recoilme Yes, all this attacks directed to users of typegram. CSRF is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated. If the victim is a normal user, a successful CSRF attack can force the user to create new post, or follow someone etc. The exploit URL can be disguised as an ordinary link, encouraging the victim to click it, like in example: https://dokzlo13.github.io/typegram_attacks/post.html if you click it, new post will be created in your profile.
Or you can unwarily follow link, like https://ru.tgr.am/delete/a/1 This will delete your post https://ru.tgr.am/@recoilme/1
In future, this can provide more unsafe behavior with newly implemented functions. I think, the correct solution is to use the CSRF tokens with double-submit cookies on typegram-web. You can read more here in russian.
Also i will perform security audit on typegram api soon
recoilme
commented
6 years ago @dokzlo13 i try Content-Security-Policy and disable Access-Control-Allow-Origin But post request/js works like from my domain, in that case, rrr(( will try CSRF token now
recoilme
commented
6 years ago @dokzlo13 this vector closed i think https://dokzlo13.github.io/typegram_attacks/post.html I add token in editor form and check it. Do you think it will be enough? commit https://github.com/recoilme/tgram/commit/e113ec1a63d8c0db58551841251d303ee19f74db
Delete must not work because of cors + get
But i need to guard all post methods (comments and so) and migrate on post get methods(
recoilme
commented
6 years ago
Has found many CSRF-vulnerable methods in Typegram source code. Descibe it with some snippets in my repo I have no experience in golang, so I can not yet contribute to the project, may be anyone can help with security fixes?