- Status Closed
-
Assigned To
xlefloch - Private
Opened by ranj3et - 20.06.2025
Last edited by xlefloch - 24.06.2025
FS#184 - CSRF
Hello Team, Vulnerability: CSRF to Change DKIM Key Pair of Victim
Description: I have found that the DKIM key pair regeneration feature lacks proper csrf protection. As a result, if a victim visits an attacker-controlled site, the attacker can regenerate a new DKIM key pair for the victim's domain. This will effectively change the victim’s existing DKIM key.
Steps to Reproduce: NOTE: After adding a domain, the domain ID is assigned in a predictable numeric sequence. I am assuming that the attacker knows the victim's domain ID.
1. Log into your account and save the following code as `1.html`. Replace the domain ID in the script with the victim's domain ID and open the file in your browser.
<html> <body> <form action="https://admin.alwaysdata.com/domain/117551/dkim/generate/"> <input type="submit" value="Submit request" /> </form> <script> history.pushState('', '', '/'); document.forms[0].submit(); </script> </body> </html>
2. You will notice that a new DKIM key pair has been generated for the victim’s domain without their consent.
POC Video:
https://drive.google.com/file/d/1LXBYjEXpdIr79f1flq14fSiP3HdETRe-/view?usp=sharing
Regards,
Ranjeet
Loading...
Available keyboard shortcuts
- Alt + ⇧ Shift + l Login Dialog / Logout
- Alt + ⇧ Shift + a Add new task
- Alt + ⇧ Shift + m My searches
- Alt + ⇧ Shift + t focus taskid search
Tasklist
- o open selected task
- j move cursor down
- k move cursor up
Task Details
- n Next task
- p Previous task
- Alt + ⇧ Shift + e ↵ Enter Edit this task
- Alt + ⇧ Shift + w watch task
- Alt + ⇧ Shift + y Close Task
Task Editing
- Alt + ⇧ Shift + s save task
Hello,
Thank you for your report. There seems to be a problem with your video. Can you upload it again?
Regards,
Dear Team,
Apologies for the inconvenience — it seems the previously attached POC video was corrupted.
Please find the correct POC video at the following link:
https://drive.google.com/file/d/1FMAwsv962t8hT8FMEfgfm6tKWCFah8iY/view?usp=sharing
Thank you for your understanding, and please let me know if any further clarification is needed.
Regards,
Ranjeet
Hello,
You can regenerate your DKIM key pair only because your user session with the correct permissions is open on your browser.
Regards,
Hello,
CSRF is a vulnerability where an attacker performs actions on behalf of the victim's account using their session.
In this case, the victim visits an attacker-controlled page, after which the DKIM key pair is changed for the victim.
So, save that HTML page, then log into your account and change the domain ID in that HTML page to your own account. After that, open the HTML page. You will find that your DKIM key pair has been changed.
Regards,
Ranjeet
I forgot that you were testing a CSRF vulnerability. The code has been patched. Do you confirm?
Hi,
Yes, the vulnerability has now been patched. The POST request is now being sent with the CSRF token.
Best regards,
Ranjeet
Hello,
To claim your reward for discovering these two vulnerabilities, please register at https://www.alwaysdata.com/en/registration/ and open a support ticket specifying the affected reports.
Regards,