tatliHU
commented
1 day ago Huge thanks for noticing! Fixed in commit d14842db56e7ff861689cb3c7fe56ee2785f53c0. Please check and let me know if it really solved the issue.
Open radl97 opened 1 day ago
tatliHU
commented
1 day ago Huge thanks for noticing! Fixed in commit d14842db56e7ff861689cb3c7fe56ee2785f53c0. Please check and let me know if it really solved the issue.
https://github.com/tatliHU/memewebsite/blob/5e8bd77edaf86cae8afa502ba68ef42b843d85ea/templates/change_password.html#L31
Here, usually a "double-submit token" is used to prevent attackers from cross-site request forgery.
If I sent you a link to my website, which you open, your browser could be convinced of sending a password change request. I would
fetch()the same API you here:https://github.com/tatliHU/memewebsite/blob/5e8bd77edaf86cae8afa502ba68ef42b843d85ea/templates/change_password.html#L31
... but with
cors: no-corsadded orcredentials: 'include'or something along the line. When your browser visits my malicious site, it POSTs a password change on the victim site, with credentials (cookies). Cross-requesta are "write-only", hence the idea of double submit: the code should send something non-predictable along with the request data (but sent along with the site contents, e.g. cookie)Read on here: https://portswigger.net/web-security/csrf They also have a free (registration required) lab where you can check out the attack itself.
(Note: because this site is not yet visited widely, I see no problem in posting this issue publicly)