search

spolu / breach_core

A Browser written in JS. Free. Modular. Hackable.
https://breach.github.io/breach_core/
MIT License
5.4k stars 411 forks source link

[security] CSRF vulnerability exposed by modules #177

Open spolu opened 10 years ago

spolu commented 10 years ago

As reported by Adam from andyet.net over email:

Installing modules using Cross-Site Request Forgery (CSRF)

It's possible to install and run arbitrary modules using CSRF.

Even though the port that the control channel listens to is random in a range, it's possible to fire off post requests to get the browser to install a module of your choice and execute on the users system. I believe the goal is to sandbox these modules at some point, but for now the whole api is available.

Here is an example video of me using this with a reverse shell to get it to work.

https://cloudup.com/cB32XDJdx-U

It's a bit contrived because I'm not brute forcing the port but it's possible todo that and get it to work. Standard express CSRF measures could maybe be used, or maybe use file sockets instead of tcp sockets for communication?

spolu commented 10 years ago

This currently concerns all modules exposing a web service including mod_strip