Gratipay: Lack of CSRF token validation at server side

2016-08-27T13:55:11
ID H1:163815
Type hackerone
Reporter yodha
Modified 2017-07-10T10:00:17

Description

Description: Gratipay is not validating csrf token at server side for few requests. So csrf protection is not implemented application wide.

Proof of concept (Video):https://drive.google.com/file/d/0B8z7y7DxxQbwUHY4YTduYzMxbnc/view?usp=sharing

Recommended Fix: For CSRF Protection: 1. Each critical operation request must be accompanied with a "token" •Token is: - Long, Random, not repeated for application lifetime. - Unique per session or even per operation - Part of URL in GET - Hidden Field in POST (forms) - Attacker cannot know / predict this token and hence cannot create requests to exploit the operation.