Skip to content
This repository has been archived by the owner on Nov 15, 2021. It is now read-only.

csrf vulnerability #111

Open
dokzlo13 opened this issue Oct 23, 2018 · 5 comments
Open

csrf vulnerability #111

dokzlo13 opened this issue Oct 23, 2018 · 5 comments

Comments

@dokzlo13
Copy link

Has found many CSRF-vulnerable methods in Typegram source code. Descibe it with some snippets in my repo
I have no experience in golang, so I can not yet contribute to the project, may be anyone can help with security fixes?
@recoilme
Copy link
Owner

@dokzlo13 Thanks for detailed analyses! It's huge work, thank you!
All of this method required authorization and will not work without authentification on one hand and i need simple api for all of these methods on another hand: #108

May you please suggest how save api and don't get anyway for attack via csrf?

@dokzlo13
Copy link
Author

@recoilme
Yes, all this attacks directed to users of typegram.
CSRF is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated. If the victim is a normal user, a successful CSRF attack can force the user to create new post, or follow someone etc.
The exploit URL can be disguised as an ordinary link, encouraging the victim to click it, like in example:
https://dokzlo13.github.io/typegram_attacks/post.html
if you click it, new post will be created in your profile.

Or you can unwarily follow link, like
https://ru.tgr.am/delete/a/1
This will delete your post https://ru.tgr.am/@recoilme/1

In future, this can provide more unsafe behavior with newly implemented functions. I think, the correct solution is to use the CSRF tokens with double-submit cookies on typegram-web. You can read more here in russian.

Also i will perform security audit on typegram api soon

@recoilme
Copy link
Owner

@dokzlo13 i try Content-Security-Policy and disable Access-Control-Allow-Origin
But post request/js works like from my domain, in that case, rrr((
will try CSRF token now

@recoilme
Copy link
Owner

@dokzlo13 this vector closed i think https://dokzlo13.github.io/typegram_attacks/post.html
I add token in editor form and check it. Do you think it will be enough?
commit e113ec1

Delete must not work because of cors + get
screenshot 2018-10-23 at 20 01 08

But i need to guard all post methods (comments and so) and migrate on post get methods(

@recoilme
Copy link
Owner

recoilme commented Oct 25, 2018
edited

  • protect create post
  • protect create comment
  • protect type2tele
  • add delete post confirmation
  • change all get methods on post methods

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@recoilme @dokzlo13