- Status Closed
-
Assigned To
cbay - Private
Opened by AKG - 14.04.2025
Last edited by cbay - 14.04.2025
FS#154 - Broken Access Control via Back Button (Alt+Left Arrow) and a GET-based CSRF leading to Account Delet
Two critical vulnerabilities were identified in the `admin.alwaysdata.com` panel:
1. Broken Access Control via browser back-navigation (Alt+โ), exposing sensitive user data post-logout.
2. CSRF (Cross-Site Request Forgery) via a GET request that allows unauthorized deletion of user accounts.
โ
### ๐งช Steps to Reproduce
#### ๐ Part 1: Broken Access Control via Browser Back Navigation
1. Login to the application: [https://admin.alwaysdata.com](https://admin.alwaysdata.com)
2. Navigate to user details:
Example: `https://admin.alwaysdata.com/admin/details/384337/deletee/`
3. Logout from the application.
4. Press Alt + Left Arrow (or use browser back button).
5. โ ๏ธ Result: The previously authenticated page is shown again, leaking sensitive user information (even though the user has logged out).
Impact: An attacker who gains temporary access to the session or has physical access to the system can access previously authenticated content even after logout.
โ
#### ๐ Part 2: CSRF - Account Deletion via GET Request
The following endpoint allows account deletion via a GET request, making it vulnerable to CSRF.
##### ๐ CSRF Exploit HTML
```html
<body onload="document.forms[0].submit()">
<form action="https://admin.alwaysdata.com/admin/details/384337/delete/" method="GET">
<input type="hidden" name="reason" value="Testing CSRF exploit" />
</form>
</body>
```
#### Steps:
1. Host this HTML file on any domain under your control.
2. Send the link to a logged-in admin user (victim).
3. When the victim clicks the link, the page auto-submits a GET request to:
``` https://admin.alwaysdata.com/admin/details/384337/delete/?reason=Testing+CSRF+exploit ```
4. If he /she click the delete button it will be deleted.
โ
### ๐ฅ Combined Impact
By chaining these two issues, an attacker could:
- Extract sensitive data via broken access control (using back-navigation after logout).
- Delete user accounts via CSRF without authentication or confirmation.
โ
### ๐ Recommended Fixes
1. Fix Broken Access Control:
- Invalidate cached pages using proper cache-control headers:
```http
Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache ``` - Implement server-side checks to reject requests after session termination.
2. Fix CSRF in Sensitive Actions:
- Use POST requests for state-changing actions (like deletion).
- Implement CSRF tokens and validate them on every form submission.
โ
POC Link: https://drive.google.com/file/d/1BSTP_m8nxiP4h-bQIq9OsiCRmYlBJuaO/view?usp=sharing
Loading...
Available keyboard shortcuts
- Alt + โง Shift + l Login Dialog / Logout
- Alt + โง Shift + a Add new task
- Alt + โง Shift + m My searches
- Alt + โง Shift + t focus taskid search
Tasklist
- o open selected task
- j move cursor down
- k move cursor up
Task Details
- n Next task
- p Previous task
- Alt + โง Shift + e โต Enter Edit this task
- Alt + โง Shift + w watch task
- Alt + โง Shift + y Close Task
Task Editing
- Alt + โง Shift + s save task
Hello,
Your own PoC shows neither of both "vulnerabilities" you described.
Kind regards,
Cyril
i did not understand what you say. after viewing the password delete page if i sign out from my account. if i use alt+lest error in URL it shows the id of the user. if a user uses this account in a office after log out if another user come and do the procedure he can see the id. and using this he can send the CSRF POC to the user and if the victim open and confirm the submit button the account will be deleted.