Missing CSRF Protection in /stats EndPoint.
State Informative (Closed)
Disclosed publicly 2018-10-09T00:14:14.151Z
Reported To
Weakness Cross-Site Request Forgery (CSRF)
Bounty
Collapse


Timeline
submitted a report to Chaturbate .
2018-09-27T16:46:30.865Z

EndPoint /affiliates/stats. doesnot verify the CSRF Tokens

Steps To Reproduce:

  1. Login with the your account
  2. Navigate to the URL https://chaturbate.com/affiliates/stats..
  3. Check the stats in default its todays date or this week in select period.
    1. Intercept the request and change the parameter to whatever you want to set.
    2. generate the POC And open it in browser
    3. You can see the changes in the form.

Supporting Material/References:

Please find attached for the CSRF POC and CSRF_1 for PreCSRF And CSRF_2 For Post CSRF.

Impact

Attacker may change the parameters in stat or may force user to download the malicious .

Regards,
Frans

kaustubh Activities::Comment
2018-09-28T20:39:04.104Z
This is valid report please proceed. Kaustubh


williammmllc Activities::ReportSeverityUpdated
2018-09-29T00:05:40.066Z


williammmllc Activities::BugInformative
2018-09-29T00:07:20.117Z
Thanks for the report. This is valid behaviour. CSRF tokens are generally only used for request that perform an action, not simply getting data which this is.


kaustubh Activities::AgreedOnGoingPublic
2018-10-08T13:50:12.618Z
Can We. may be useful for some other researchers..!


williammmllc Activities::AgreedOnGoingPublic
2018-10-09T00:14:14.104Z


williammmllc Activities::ReportBecamePublic
2018-10-09T00:14:14.176Z