Question, I found that
www[.]example[.]com/media/scripts is forbidden (403); however, I fuzzed a little bit and found that I can still view a
csrf-token.js file which shows how their CSRF token works. Basically it shows exactly how it’s activated and only works with POST requests. Probably something that they don’t want people to see… is this a valid find? I just want to make sure before reporting garbage, but, to me, it seems like a good find maybe?
Question, I found that
Hmm, I’m not sure I quite understand. Does the endpoint leak the user’s CSRF token? If so, you can probably create a CSRF exploit that collects the token and uses it in the forged request. That would be a site-wide CSRF vulnerability (P2, I believe).
Otherwise, it might be considered a valid WAF bypass or data exposure bug. You should try to exploit the exposed information further, but if you can’t, I’d still report it.
I’m pretty new to bug bounties but as a software architect I can make a guess though. If they have a login page they want to use to generate csrf tokens, they need to be able to protect the login action without being authenticated. Which requires the csrf end point to be available.
This doesnt mean it’s a good or a bad thing, but I can understand the logic. Real question is, how do you exploit it?
The thing is, normally csrf tokens are used both in frontend and backend and when a request is submitted you compare the 2 to make sure the request came from the original user.
Just having the generator exposed might mean that they generate a csrf token, send it to the server with a login request and then the server stores it for later verifications.
The problems come when you can either start guessing the csrf because the algorithm is weak, force people to use a provided csrf token, expose the csrf token over an http connection (although mitm attacks are often out of scope), do old csrf tokens still work, maybe the backend doesnt verify the csrf belongs to the user and only checks if it’s a valid one?
And all of these are only valid issues if you can somehow let the user make a request to the server without them knowing using Ajax calls etc or you are able to steal login tokens without having the actual credentials.
Hope this helps.
you found a
csrf-token.js file which shows how csrf tokens are generating on the client side? if this is the case then do as @waike have told you to use that csrf tokens to forge a request. if that is not the case then can you elaborate your question.
If you can share a snippet of the code you think is vulnerable, it would be helpful.