Closed
Bug 1059743
Opened 10 years ago
Closed 10 years ago
CSRF token Validation Problem on support.mozilla.org
Categories
(support.mozilla.org :: General, defect)
Tracking
(Not tracked)
RESOLVED
INVALID
People
(Reporter: cvps_47, Unassigned)
Details
(Keywords: reporter-external, Whiteboard: [site:support.mozilla.org][reporter-external])
Attachments
(1 file)
7.52 MB,
video/avi
|
Details |
User Agent: Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0 (Beta/Release)
Build ID: 20140716183446
Steps to reproduce:
Tools description:
1.To find this Vulnerability i use "live HTTP headers".
2.Which is an add-on of Mozilla Firefox.
3.It is use to capture any registration or any request.Also it provide options to edit any request manually and then resend the edited request.
4.You just have to add this add-on in Mozilla Firefox.
5.If you want capture any request then you have to open "live HTTP headers" from Menu bar >> tools >> live HTTP headers and mark check on the capture box then all activities will capture.
Steps to Replicate:
1.First you have to add an add-on "live HTTP headers"
2.This is an add-on of Mozilla Firefox
3.Which is use to capture any registration request.
4.Then Register an account on https://support.mozilla.org/en-US/questions/new/desktop/other/form?search=Search&step=aaq-register
5.After fill up the sign up form do not click on "Register" button. First You have to open "live HTTP headers" from Menu bar >> tools >> Live HTTP headers and mark check on capture box.
6.Now click on "Register" button "Live HTTP headers" have captured your registration request.
7.Find this link on the captured request.
https://support.mozilla.org/en-US/questions/new/desktop/other/form?search=nayonejash&step=aaq-question
8.Select this link by single click and then click on replay button and then you will see a request in which there is an csrf token. Copy the csrf token on notepad.
csrf will mentioned in the captured request
Like this:
csrfmiddlewaretoken=aVQKATJRMFOVqAwdb8Utt6jE9SdZknQd
9.Now register second account >> capture the request >> and then copy the 2nd account's csrf token on the notepad.Then compare both tokens with each other both will be same.
aVQKATJRMFOVqAwdb8Utt6jE9SdZknQd
10.This is the csrf token at which all user's have Registered.
Actual results:
Bug Description:
1.https://support.mozilla.org have Register all users on same Csrf token,
Which is:
aVQKATJRMFOVqAwdb8Utt6jE9SdZknQd
2.Csrf Token is not Validating with registration.
Expected results:
1.Csrf token must be validate with registration.
2.This is a very critical Vulnerability that all accounts are registering with same/single csrf token.
3.It is too harmful.Because in this situation any of bots/hackers can able to register unlimited Registration with same Csrf token.
4.Also There is a warning from brute force attack!
Updated•10 years ago
|
Group: core-security → websites-security
Product: Core → support.mozilla.org
Summary: CSRF token Validation Problem. → CSRF token Validation Problem on support.mozilla.org
Version: 1.0 Branch → unspecified
Comment 1•10 years ago
|
||
That's because you are using the same browser session. Open a different browser and go to the page and you'll get a different token. For example, I just went to register and this is the token I get:
<input type='hidden' name='csrfmiddlewaretoken' value='fewm8n520GOCzRK8FrfYQQnWa004unhS' />
Status: UNCONFIRMED → RESOLVED
Closed: 10 years ago
Resolution: --- → INVALID
Reporter | ||
Comment 2•10 years ago
|
||
Hi,
But attacker can able to register thousands of accounts on same browser with same token..
That will become harmful.
Thanks,
Asim
Comment 3•10 years ago
|
||
We have rate limiting in place to protect us from that kind of attack.
Thanks for reporting!
Updated•10 years ago
|
Flags: sec-bounty-
Whiteboard: [site:support.mozilla.org][reporter-external]
Comment 5•9 years ago
|
||
These bugs are all resolved, so I'm removing the security flag from them.
Group: websites-security
Updated•5 months ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•