XSRF on marketplace.mozilla.org



6 years ago
6 years ago


(Reporter: christian.matthies, Unassigned)


Firefox Tracking Flags

(Not tracked)




6 years ago
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:15.0) Gecko/20100101 Firefox/15.0.1
Build ID: 20120905151427

Steps to reproduce:

If you comment on an app and rate it (https://marketplace.mozilla.org/app/twitter/reviews/) that comment can be deleted via XSRF. 

The request for that  looks like this:

POST: https://marketplace.mozilla.org/app/twitter/reviews/383640/delete

Host: marketplace.mozilla.org
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:15.0) Gecko/20100101 Firefox/15.0.1
Accept: */*
Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: keep-alive
X-CSRFToken: D5GWI53FQ2jjzZ5YhVpMeDU9LRKwG87i
X-Requested-With: XMLHttpRequest
Referer: https://marketplace.mozilla.org/app/twitter/reviews/
Pragma: no-cache
Cache-Control: no-cache
Content-Length: 0

Please note the X-CSRFToken header - it is not being validated on the server side but probably should be.
I attempted to reproduce this and was unsuccessful. Using ZAP I deleted the token and got an error. mfuller tested as well by editing the token and also getting an error. Could you provide a more complete set of steps on how you were able to accomplish this?

Comment 2

6 years ago
The errors received when editing the token are the same as when a direct POST to the URL is done:
 <h2>Oops! Not allowed.</h2>
      <p>You tried to do something that you weren't allowed to.</p>
          <p>Try going back to the previous page, refreshing and trying again.</p>

This is when altering a single letter in the X-CSRFToken header. It seems the header is being checked, but Christian, please detail the steps because we may be missing something.

Comment 3

6 years ago
I'm sorry, false alarm. I've used a stupid Firefox plugin called Tamper Data before I filed this bug, not a proper HTTP proxy. Apparently Tamper Data doesn't let me tamper with HTTP headers (works fine with request params usually). Even though I modified the XSRF header, Tamper Data still sent the original one to the server, thus the 200.
Group: mozilla-services-security
Last Resolved: 6 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.