Order Request Forgery

Description

You finally made the decision which fl4g is the right one for you! Congratulations!

But.... Just when you were about to order, you noticed that only logged in users can place orders. Arrrrgghh. Disappointed you also notice that the dilettante SFL team forgot to add a register page. Wtf. The flag seems out of reach. Or is there a way to trick someone into ordering a flag for you?!

Overall, this shop seems totally useless... please write some angry feedback!

You can reach our shop at: https://sfl.cs.tu-dortmund.de:10004/

Solution

The description suggested we should write some feedback so at first open the feedback page. We got two options, write some text or send a link to a screenshot to point out the problem.

Send some text

After entering some text into the feedback form we immediately get a response:

Thank your for your feedback! I checked the shop and it is working as intended. Can you provide a screenshot url with the problem? Greetings, Flag-Shop Admin P.S. With my admin account I am able to oder flags without problems!

The messages suggests to add a screenshot url, so we include one!

feedback form with image url

This time the response is different:

Thank your for your feedback! I checked the shop and it is working as intended. I am not allowed to visited your 'screenshot url'. My policy does only allow for internal domains. Greetings, Flag-Shop Admin P.S. With my admin account I am able to oder flags without problems!

So the admin will not open images located on a different server. What does happen if we provide an image hosted on the shop server? With this link: https://sfl.cs.tu-dortmund.de:10004/static/img/angola-flag.jpg We do get the following response:

Thank your for your feedback! I checked the shop and it is working as intended. I also visited your 'screenshot url' but was unable to look at the picture. Greetings, Flag-Shop Admin P.S. With my admin account I am able to oder flags without problems!

The interesting part of this message is the admin telling us he opened our link.

How can we trick the admin to order us a flag?

First we take a look at how flag order form works:

flag order form with dissabled button

The corresponding html:

...
<form action="/order" method="GET">
  <input type="hidden" name="productName" value="angola flag">
  <input type="hidden" name="deliveryEmail" value="Error! Not logged in!">
  <button type="sumbit" disabled="" class="btn btn-primary btn-lg btn-block">You must be logged in to order flags! </button>
</form>
...

If we analyse the html-code we see, to order a Flag we must

  1. make GET request to /order
  2. provide a paramtere productName
  3. provide a deliveryEmail

An example for such a url is:

https://sfl.cs.tu-dortmund.de:10004/order?deliveryEmail=your-adress@tu-dortmund.de&productName=angola flag

We can now trick the admin to order us a flag if we pretend that our crafted url is pointing to an image. So we enter the url into the feedback form.

feedback form with our url

Mhh... this takes a long time to load.. Also the message has again changed:

Thank you for the report! Our admin will take a look soon.

If we take a look at our email address, there is a mail with the flag.

Thank your for your order! Your flag is:fl4g{csrf-really-sucks!@@§$1§@!?}

The admin clicked on the link, assuming there is a screenshot of an error at the shop where in reality the link was ordering a flag. So we tricked him to order us a Flag to our mail address.