Stored CSRF via Uploaded HTML File in User Account Document Section
2 min readJan 13, 2025
During my internship, I was assigned the task of finding vulnerabilities in a CRM system. My approach involved testing each functionality methodically. After thoroughly examining various features, I decided to test for CSRF vulnerabilities in the login and logout functionalities. While I did not find any issues in the login function, I identified a CSRF vulnerability in the logout functionality.
Building on this discovery, I remembered that the website had a file upload feature. Initially, I tested whether uploaded files could execute scripts directly, but the uploads appeared secure. However, after a few hours of brainstorming, I came up with the idea of leveraging CSRF via the uploaded file. Here’s what I did:
- So I logged in as an admin user and created a new user account (test.test) and gave this account permission to modify their data.
- After this I logged in as test.test and navigated to the card option, then opened linked files
https://preview2.target.com/user/document.php?userid=<user_id> - Then uploaded a crafted .html file containing the following CSRF payload:
<!DOCTYPE html>
<html lang=”en”>
<head>
<meta charset=”UTF-8">
<title>CSRF PoC</title>
</head>
<body onload=”document.forms[0].submit();”>
<form action=”https://preview2.target.com/user/logout.php" method=”GET”>
<input type=”hidden” name=”token” value=”5f4d41e0390fc8fvdsvsd8be36630ae6">
</form>
</body>
</html> - After this I again logged in to the admin user and opened the user list
Here I found the notification that user test.test uploaded something in his account, so as admin I was checking what it is - To check the uploaded file by user, I clicked on the file and the file was downloaded automatically
- So to check I opened the file and it got executed and my admin account got logged out.
Impact of this vulnerability:
- Session Disruption: The admin user is logged out, causing inconvience and possible loss of unsaved data.
- Potential for further CSRF Attacks: If the CSRF payload targets other actions beyond logout, it could lead to unauthorized modifications in the application.
- Stored Attack Vector: This vulnerability allows malicious actions to be stored in the application, increasing the risk of future admin exploitation.