1

I found the following behavior on a relatively popular website:

  1. They have a GET route for logging out (e.g. /api/user/logout).
  2. That allows me to write ![](/api/user/logout) in a comment or anything that accepts markdown and that will obviously log out the user.

The fix for this bug would be not using GET (but using POST or DELETE or something similar) for the logout route.

What is the name of this type of exploit? Is it an important issue?

h4ckNinja
  • 3,006
  • 15
  • 24
Ionică Bizău
  • 813
  • 2
  • 10
  • 15
  • @SilverlightFox Mostly yes, I saw it after finding out we're talking about CSRF. :) When I posted the question I had no idea what is the name of this thing. – Ionică Bizău Feb 18 '16 at 09:18

1 Answers1

3

This is called CSRF, or Cross-Site Request Forgery. Logging a user out through CSRF is a much-discussed issue in the security community. Some view it as a non-issue (see Google's stance: https://sites.google.com/site/bughunteruniversity/nonvuln/logout-xsrf). Others view it more of a nuisance.

However, I have to respectfully disagree with Google's stance. It is easily addressable. Like other CSRF actions, you need a token (so changing it to a POST wouldn't address it) that isn't known or guessable by an attacker. This means you can make the logout link contain a one-time token. This would break attempts to put it in an image or disguise the link some other way.

h4ckNinja
  • 3,006
  • 15
  • 24
  • Thanks! In this particular context, I can leave such a comment to a long discussion (where other users are involved) and nobody will be able to comment after me, because when one accesses the page is automatically logged out. `:D`. What do you think—does it make sense to report it? – Ionică Bizău Feb 17 '16 at 05:28
  • That depends on the site if you should report it. Some sites don't appreciate it, others care. If it were my website, I'd want to fix it, if nothing else than to keep from annoying my users. – h4ckNinja Feb 18 '16 at 01:03
  • 1
    Reported, validated, I will get some swag from them. `:-)` Same issue is on PayPal, but they said it's not that important. I also saw that there are bounty programs explicitly saying that the CSRF logout shouldn't be reported. Learned something. :) Thanks once again! – Ionică Bizău Feb 18 '16 at 06:22