Cross Site Request Forgery in Create a Memo Functionality (POST /api/memo)

2022-12-2715:38:00

alanbriangh

www.huntr.dev

csrf

memos

vulnerability

application/json

mitigation

bugbounty

0.001 Low

EPSS

Percentile

29.6%

JSON

Description

I have discovered in Memos a CSRF Vulnerability (in Create a Memo Functionality (POST /api/memo).

I have identified that it is possible to manipulate the actions of authenticated users by tricking them into clicking on a malicious link or visiting a malicious website while they are logged into Memos. This can allow an attacker to perform actions on behalf of the victim, such as creating or modifying memos.

To reproduce the vulnerability, I followed these steps:

I logged into the Memos application with a valid account.
I created a malicious HTML file containing a form that submits a request to the Memos application to create a new memo, with the title and content set to a predetermined value:

&lt;html&gt;
  &lt;body&gt;
  &lt;script&gt;history.pushState('', '', '/')&lt;/script&gt;
    &lt;form action="http://localhost:5230/api/memo" method="POST" enctype="text/plain"&gt;
      &lt;input type="hidden" name="&#123;&quot;content&quot;&#58;&quot;CSRF&quot;&#44;&quot;visibility&quot;&#58;&quot;PRIVATE&quot;&#44;&quot;resourceIdList&quot;&#58;&#91;&#93;&#125;" value="" /&gt;
      &lt;input type="submit" value="Submit request" /&gt;
    &lt;/form&gt;
  &lt;/body&gt;
&lt;/html&gt;

I hosted the malicious HTML file on a server and shared the link with a victim who was also logged into the Memos application.
When the victim clicked on the link, a new memo was created in their account with the predetermined title and content, without their knowledge or consent.

I have attached a proof-of-concept HTML file and a video demonstrating the vulnerability to this report.

The Cross-Site Request Forgery (CSRF) vulnerability in the application is occurring because the application is not validating the Content-Type to be of the type application/json and is allowing the submission of text/plain.

By allowing requests with text/plain as the Content-Type, the application is vulnerable to CSRF attacks

Proof of Concept

https://drive.google.com/file/d/10eIE2pXRcVDT1juyGu5_MSmvzgTmj_35/view?usp=sharing

Remediation

I recommend that you take the following steps to mitigate this vulnerability:
Implement proper CSRF protection, such as including a unique token in all forms and verifing it on the server-side.
The application should validate the Content-Type of requests to ensure that they are of the correct type, such as application/json. This will prevent attackers from being able to leverage the vulnerability to perform unauthorized actions.