Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
hackeroneMah1ndraH1:361414
HistoryJun 03, 2018 - 10:02 p.m.

Liberapay: CSRF token manipulation in every possible form submits. NO server side Validation

2018-06-0322:02:05
mah1ndra
hackerone.com
27
JSON

Web Application is generating CSRF_token values inside cookies
which is not a best practice for web applications the revelation of cookies can reveal CSRF Tokens as well.
Authenticity tokens should be kept separate from cookies and should be isolated to change operations in the account only.

Multiple CSRF token manipulation found across liberapay in possible form submits

  1. Both signup and login.
    2.After logging in. In profile section: All the following sections are vulnerable. =>Name, Avatar, Currencies,
    Goal, Statement, Accounts ElseWhere, Privacy. Their URLs
    > https://liberapay.com/<username>/edit/username
    >https://liberapay.com/<username>/edit/avatar
    >https://liberapay.com/<username>/edit/currencies
    >https://liberapay.com/<username>/edit/goal
    >https://liberapay.com/<username>/edit/statement
    >https://liberapay.com/<username>/edit/elsewhere
    >https://liberapay.com/<username>/edit/privacy

  2. In Account Elsewhere section. We can link all other platforms and delete them. CSRF token manipulation can be done while deleting them. Cause no server check.

  3. In About > teams section: where we can create teams also vulnerable to CSRF token Manipulation.
    URL: https://liberapay.com/about/teams

  4. Liberapay Donation section is also Vulnerable to CSRF token Manipulation.
    URL: https://liberapay.com/Liberapay/donate

  5. Settings > password change: also vulnerable to CSRF token Manipulation.
    URL: https://liberapay.com/<username>/settings/

  6. In Identity Section: where we can Submit 1.Personal info 2.Organisation Info 3. Legal Representation details.
    URL: https://liberapay.com/<username>/identity

  7. Emails & Notifications sections: where we can add emails and update notification options through checkboxes are vulnerable to CSRF token Manipulation.
    URL: https://liberapay.com/<username>/emails/

  8. Creating new communities section: Where we can create new communities. It is also Vulnerable to CSRF token Manipulation.
    URL: https://liberapay.com/for/new

Impact

The CSRF token Which is inside cookie can be manipulated with proxies. So CSRF tokens can be manipulated.

The server application is not verifying the existence and correctness of CSRF token before processing the request.
Actually, It should be verified on the server application and If the token is missing or incorrect, the request should be rejected.
This can probe to serious issues if exploited.

A detailed POC Video is uploaded below.
Thank you.

JSON