alwaysdata All Projects: Tasklist

	ID	Status	Summary	Opened by
	~~154~~	Closed	~~Broken Access Control via Back Button (Alt+Left Arrow)~~ ...	AKG	Task Description Two critical vulnerabilities were identified in the `admin.alwaysdata.com` panel: 1. Broken Access Control via browser back-navigation (Alt+←), exposing sensitive user data post-logout. 2. CSRF (Cross-Site Request Forgery) via a GET request that allows unauthorized deletion of user accounts. — ### 🧪 Steps to Reproduce #### 🐞 Part 1: Broken Access Control via Browser Back Navigation 1. Login to the application: [https://admin.alwaysdata.com](https://admin.alwaysdata.com) 2. Navigate to user details: Example: `https://admin.alwaysdata.com/admin/details/384337/deletee/` 3. Logout from the application. 4. Press Alt + Left Arrow (or use browser back button). 5. ⚠️ Result: The previously authenticated page is shown again, leaking sensitive user information (even though the user has logged out). Impact: An attacker who gains temporary access to the session or has physical access to the system can access previously authenticated content even after logout. — #### 🐞 Part 2: CSRF - Account Deletion via GET Request The following endpoint allows account deletion via a GET request, making it vulnerable to CSRF. ##### 🔓 CSRF Exploit HTML ```html <body onload="document.forms[0].submit()"> <form action="https://admin.alwaysdata.com/admin/details/384337/delete/" method="GET"> <input type="hidden" name="reason" value="Testing CSRF exploit" /> </form> </body> ``` #### Steps: 1. Host this HTML file on any domain under your control. 2. Send the link to a logged-in admin user (victim). 3. When the victim clicks the link, the page auto-submits a GET request to: ``` https://admin.alwaysdata.com/admin/details/384337/delete/?reason=Testing+CSRF+exploit ``` 4. If he /she click the delete button it will be deleted. — ### 💥 Combined Impact By chaining these two issues, an attacker could: - Extract sensitive data via broken access control (using back-navigation after logout). - Delete user accounts via CSRF without authentication or confirmation. — ### 🔐 Recommended Fixes 1. Fix Broken Access Control: Invalidate cached pages using proper cache-control headers: ```http Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache ``` - Implement server-side checks to reject requests after session termination. 2. Fix CSRF in Sensitive Actions: Use POST requests for state-changing actions (like deletion). Implement CSRF tokens and validate them on every form submission. — POC Link: https://drive.google.com/file/d/1BSTP_m8nxiP4h-bQIq9OsiCRmYlBJuaO/view?usp=sharing

~~154~~

Closed

~~Broken Access Control via Back Button (Alt+Left Arrow)~~ ...

Task Description

Two critical vulnerabilities were identified in the `admin.alwaysdata.com` panel:

1. Broken Access Control via browser back-navigation (Alt+←), exposing sensitive user data post-logout.
2. CSRF (Cross-Site Request Forgery) via a GET request that allows unauthorized deletion of user accounts.

—

### 🧪 Steps to Reproduce

#### 🐞 Part 1: Broken Access Control via Browser Back Navigation

1. Login to the application: [https://admin.alwaysdata.com](https://admin.alwaysdata.com)
2. Navigate to user details:

 Example:  
 `https://admin.alwaysdata.com/admin/details/384337/deletee/`

3. Logout from the application.
4. Press Alt + Left Arrow (or use browser back button).
5. ⚠️ Result: The previously authenticated page is shown again, leaking sensitive user information (even though the user has logged out).

Impact: An attacker who gains temporary access to the session or has physical access to the system can access previously authenticated content even after logout.

—

#### 🐞 Part 2: CSRF - Account Deletion via GET Request

The following endpoint allows account deletion via a GET request, making it vulnerable to CSRF.

##### 🔓 CSRF Exploit HTML

```html

  <body onload="document.forms[0].submit()">
    <form action="https://admin.alwaysdata.com/admin/details/384337/delete/" method="GET">
      <input type="hidden" name="reason" value="Testing CSRF exploit" />
    </form>
  </body>

```

#### Steps:

1. Host this HTML file on any domain under your control.
2. Send the link to a logged-in admin user (victim).
3. When the victim clicks the link, the page auto-submits a GET request to:

 ```
 https://admin.alwaysdata.com/admin/details/384337/delete/?reason=Testing+CSRF+exploit
 ```

4. If he /she click the delete button it will be deleted.

—

### 💥 Combined Impact

By chaining these two issues, an attacker could:

- Extract sensitive data via broken access control (using back-navigation after logout).
- Delete user accounts via CSRF without authentication or confirmation.

—

### 🔐 Recommended Fixes

1. Fix Broken Access Control:

Invalidate cached pages using proper cache-control headers:

```http

   Cache-Control: no-store, no-cache, must-revalidate
   Pragma: no-cache
   ```
 - Implement server-side checks to reject requests after session termination.

2. Fix CSRF in Sensitive Actions:

Use POST requests for state-changing actions (like deletion).
Implement CSRF tokens and validate them on every form submission.

—

POC Link: https://drive.google.com/file/d/1BSTP_m8nxiP4h-bQIq9OsiCRmYlBJuaO/view?usp=sharing

Showing tasks 1 - 1 of 1 Page 1 of 1

All Projects

Available keyboard shortcuts

Tasklist

Task Details

Task Editing