CSRF Token Not Unique Per Request

Cross-Site Request Forgery Token is Not Unique Per Request

Overview of the Vulnerability

Cross-Site Request Forgery (CSRF) occurs when requests to the application are submitted on behalf of an authenticated user without their knowledge via crafted, malicious code which can be in the form of a link the user clicks. The application is unable to distinguish between the malicious request and a legitimate request from the user.

CSRF is possible for this application as the CSRF token is not unique per request, allowing an attacker to submit requests to the application on behalf of an authenticated user. Additionally, the attacker needs to socially engineer the user to click on a link, or paste the malicious code into the user’s browser. If successful, the code will execute within that user’s browser in the context of this domain.

Business Impact

CSRF could lead to data theft through the attacker’s ability to manipulate data through their access to the application, and their ability to interact with other users, including performing other malicious attacks, which would appear to originate from a legitimate user. These malicious actions could also result in reputational damage for the business through the impact to customers’ trust.

Steps to Reproduce

1. Enable a HTTP interception proxy, such as Burp Suite or OWASP ZAP

2. Use a browser to sign into the application at: {{URL}}

3. Navigate to the following URL and submit the form: {{URL}}

4. Use the HTTP interception proxy to intercept the request triggered by the form

5. Modify the request with the following CSRF POC code:

{{CSRF POC}}

and forward the request to the endpoint:

{{request}}

1. Navigate to the following URL and observe the action taken by the CSRF POC code was successful: {{URL}}

Proof of Concept (PoC)

Please view the proof of concept CSRF HTML code below:

{{screenshot}}

Please view the evidence showing an action that is vulnerable to CSRF below:

{{screenshot}}

Recommendations

A Cross-Site Request Forgery (CSRF) token should be included within all relevant requests. The CSRF token needs to be unpredictable, tied to a user's session, strictly validated before actions are executed, and not be stored within cookies.

CSRF tokens can be used to prevent CSRF attacks by making it near impossible for a malicious attacker to predict and construct a valid HTTP request of a user because they don't know the value of the CSRF token. Therefore, any request that a malicious attacker attempts to construct will not have all of the necessary parameters for the application to validate and execute the request.

For more information, please see:

• https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html

• https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#synchronizer-token-pattern