Gratipay: Lack of CSRF token validation at server side

ID H1:163815
Type hackerone
Reporter yodha
Modified 2017-07-10T10:00:17


Description: Gratipay is not validating csrf token at server side for few requests. So csrf protection is not implemented application wide.

Proof of concept (Video):

Recommended Fix: For CSRF Protection: 1. Each critical operation request must be accompanied with a "token" •Token is: - Long, Random, not repeated for application lifetime. - Unique per session or even per operation - Part of URL in GET - Hidden Field in POST (forms) - Attacker cannot know / predict this token and hence cannot create requests to exploit the operation.