I had earlier sent the full report with code and explanation on how the open parameters on forum.stake.com is leaking the csrfKey.
Nothing is being leaked. The CSRF Token is nothing which has to be kept secret from the client.
The Client always sees this token.
The point of this token is, that some other website can't create that request on your behalf (because they would need this token for that).
And with proper HTTP access control, they can't access this token.
I found a cashout flaw which is bad for the reputation of stake sports betting system, though I was unsuccessful in withdrawing the amount
You were unsuccessful in withdrawing, because there is no vulnerability. All you did was manipulating the requests which resulted in visual representation of your manipulated requests (because it is being handled by JS).
Because of the (proper) server verification, you weren't able to withdraw.
Talked the support and showed him the vulnerability live but he says to post on forum.
This is not a relevant vulnerability.
It just changes some visual representation client-sided.
The server still does handle everything properly.
Leave the cashout, what if someone place bets on your behalf using your csfr ?? : THE BET THAT YOU DONT want to place??
That's not possible, because of the CSRF token.
Long story short:
- Just changes visual representation client-side
- No Cashout/Withdraw possible
- Not a concerning Bug (just a visual one)
- Not a vulnerability
- Does not compromise the security in any way
I was able to upload a script on your server, wasn't I ??
It is strange, I gave you information regarding the manipulation but you seems to challenge me and deny.
Here are some points from a OWASP about csrf:
Use a non-predictable, well-established random number generator with enough entropy. You Pass in this.
Expire tokens after a short amount of time so that they cannot be reused. You fail in this, your token stays for large unknown amount of time no matter if I close browser, I go out for a coffee or for a 6 hour Nap.
Do not send tokens in HTTP GET requests so that they are not directly available in the URL and they do not leak in the Referer header. You fail in thos also.
There was a time when keybase.io used to leak CSRF tokens on every invalid request.
More text you can find it here :
https://hackerone.com/reports/77065Importantly forum.stake.com leaks 6 the parameters, why not hide them
It is easy to say that csrf key is important for client but should not the gambling platform use strict methods to protect its players?
A saying goes : Locks are for good people like you, me and people reading this so that they fear breaking into others house even if they want.
Locks are not for thieves or robbers because , No matter if Lock is there or not they will break into...
SO SHOULD WE PUT LOCK IN OUR DOORS??
