Hello, this report is a copy of my previous reports sent to your email ( firstname.lastname@example.org) some days ago. Please note that everything written below are copied and pasted from the report. ( Ticket #437212 ):
As part of your responsible disclosure program, I am reporting this leakage ( weak implementation ) of CSRF and Nonce Token.
What is the security risk when the CSRF and or Nonce Token are being leaked?
Well, the protected features of the CSRF token and Nonce can now be altered by a malicious user easily.
What now is the weak implementation?
You stored the CSRF and Nonce Token in the URL. ( This can be retrieve in the browser, or server logs and other places )
How is it getting leaked?
Its considered a best practice to not store a token in a get request. ( I do not know if you just miss that ).
How can be exploited anyway?
Set up something like the code below:
<form class="clearfix actions add-email" method="post" action="https://www.wepay.com/settings/email"> <div> <label>Add New Email</label> <input name="email" type="text" class="mrl" placeholder="Email Address"value="email@example.com" /> <input type="hidden" name="form" value="add" /> <input type="hidden" name="csrf" value="CSRF VALUE HERE" /><input type="hidden" name="nonce" value="NONCE VALUE" /> </div> <button id="invite-user-confirm" type="submit" class="button small pull-right confirm">Add</button> </form>
Email now added in the account. Or any other action in the WePay application that is protected by the CSRF token. :)
However, the impact gets minimal since you have implemented the CSRF and Nonce token to be 1 time / page. Meaning, it only works if the user has stop clicking on links within the page after searching ( step 5 above. )
If you needed more information regarding this, then kindly let me know.
Cheers, Clifford Trigo