CSRF on update cart functionality
Discription

I found a CSRF Vulnerability in the update cart functionality where there is no **csrf** token being validated
While updating the cart as the authenticated user

**Vulnerable Request:**

“`
POST /demo/api/update_cart HTTP/1.1
Host: demo.microweber.org
Cookie: laravel_session=oVrVA2TbkeiJJIMoTt9UgfFU9BzqP41iW8YIIzmy; remember_web_59ba36addc2b2f9401580f014c7f58ea4e30989d=2%7CTtYWLvivLcGGOKkv5QqtzWhOA7vw6wZPZIbryyJKGsVNHLLfQ4n75QWDNFH8%7C%242y%2410%24114oPbqv.UAg3ca706prIuSTMe3pAc9qYqT2gOBR1uldB9UTk%2FlYu; back_to_admin=https%3A//demo.microweber.org/demo/admin/view%3Amodules/load_module%3Ausers/action%3Aprofile; csrf-token-data=%7B%22value%22%3A%22MumtS5v538A6QyfXzmwvx2nhZeXTQSUsQOGQRIwn%22%2C%22expiry%22%3A1648713233295%7D; mw-back-to-live-edit=true; show-sidebar-layouts=0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:98.0) Gecko/20100101 Firefox/98.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 23
Origin: https://demo.microweber.org
Referer: https://demo.microweber.org/demo/shop
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
Connection: close

price=199&content_id=12
“`

**Steps to Reproduce:**

* After authentication, click on any product and add it to the cart
* Now, Intercept the request and the request looks as follows

**Request:**

“`
POST /demo/api/update_cart HTTP/1.1
Host: demo.microweber.org
Cookie: laravel_session=oVrVA2TbkeiJJIMoTt9UgfFU9BzqP41iW8YIIzmy; remember_web_59ba36addc2b2f9401580f014c7f58ea4e30989d=2%7CTtYWLvivLcGGOKkv5QqtzWhOA7vw6wZPZIbryyJKGsVNHLLfQ4n75QWDNFH8%7C%242y%2410%24114oPbqv.UAg3ca706prIuSTMe3pAc9qYqT2gOBR1uldB9UTk%2FlYu; back_to_admin=https%3A//demo.microweber.org/demo/admin/view%3Amodules/load_module%3Ausers/action%3Aprofile; csrf-token-data=%7B%22value%22%3A%22MumtS5v538A6QyfXzmwvx2nhZeXTQSUsQOGQRIwn%22%2C%22expiry%22%3A1648713233295%7D; mw-back-to-live-edit=true; show-sidebar-layouts=0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:98.0) Gecko/20100101 Firefox/98.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 23
Origin: https://demo.microweber.org
Referer: https://demo.microweber.org/demo/shop
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
Connection: close

price=199&content_id=12
“`
* As you can see there is no **csrf** token being validated, we can create a **CSRF** proof of concept to make things easier and to validate

**CSRF Proof of Concept:**

“`

“`

* Now whoever opens the HTML file and the product will get added to the cart

References

Back to Main
Subscribe for the latest news: