CSRF multiple vulnerabilities

---

Description

Write Up: Guillaume
Créateur: WOCSA
Difficulté: Inconnu

---

Enoncé

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

---

Solution détaillée

Exploitation

CSRF token is not created for a single user and can be reuse.

PoC

Create a first user1, logging with it and change password, intercept the request and identify the CSRF token :

csrftoken=fkNxeiw7qnhCU07bAhGtFDqNvCfjM43v; csrfmiddlewaretoken=sLAeWjA9H44deLgSQQeynoGWTvEFXV8AxVdB0rW6XhbFYBdTgXKRSRWzeXJOzP1V

Then create a second user2, logging with it and change password, intercept the request and identify the CSRF token :

csrftoken=fkNxeiw7qnhCU07bAhGtFDqNvCfjM43v; csrfmiddlewaretoken=qVNsWLRxDW2uHcALuTGNP07XwUx2v5QMv5qP0TduT99Wr2xMU0c6ktnARmCb7ZJ7;

We can see that the same csrftoken

Futhermore, you can replay multiple time the request with the same csrf token.

So with the same csrftoken and csrfmiddlewaretoken:

ToG2's password has been changed successfully! ToG's password has been changed successfully!

Risk

With this vulnerability, it's easy for a attacker to request the password changing endpoint with javascript, resulting to a potential ATO Remediation

Make CSRF single-use and different from one request to another

---