337 – Insecure session management - CSRF Fixation

Description

It is possible generate a CSRF Fixation in the transaction functionality. Authorization header is the public key, and It is always the same for payment links. An attacker can create a button with the content of a request and trick a user running a transaction to receive the app push notification and complete the request.

Impact

Spoof an authenticated user in the application by means of a modified link to execute critical transactions such as transfers or payments.

Recommendation

Make use of tokens in the forms for the verification of requests made by legitimate users.

Threat

Attacker from the Internet without authentication.

Expected Remediation Time

60 minutes.

Score 4.0

Default score using CVSS 4.0. It may change depending on the context of the src.

Base 4.0

• Attack vector: N
• Attack complexity: L
• Attack Requirements: N
• Privileges required: N
• User interaction: A
• Confidentiality (VC): N
• Integrity (VI): L
• Availability (VA): N
• Confidentiality (SC): N
• Integrity (SI): N
• Availability (SA): N

Threat 4.0

• Exploit maturity: P

Requirements

• 030 - Avoid object reutilization
• 031 - Discard user session data
• 141 - Force re-authentication

Fixes

• Csharp
• Dart
• Elixir
• Go
• Java
• Python
• Ruby
• Scala
• Typescript

Last updated

2024/02/19