Insecure session management - CSRF Fixation
Description
It is possible generate a CSRF Fixation in the transaction functionality. Authorization header is the public key, and It is always the same for payment links. An attacker can create a button with the content of a request and trick a user running a transaction to receive the app push notification and complete the request.
Impact
Spoof an authenticated user in the application by means of a modified link to execute critical transactions such as transfers or payments.
Recommendation
Make use of tokens in the forms for the verification of requests made by legitimate users.
Threat
Attacker from the Internet without authentication.
Expected Remediation Time
⌚ 60 minutes.
Score
Default score using CVSS 3.1. It may change depending on the context of the src.
Base
- Attack vector: N
- Attack complexity: L
- Privileges required: N
- User interaction: R
- Scope: U
- Confidentiality: N
- Integrity: L
- Availability: N
Temporal
- Exploit code maturity: P
- Remediation level: X
- Report confidence: X
Result
- Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:X
- Score:
- Base: 4.3
- Temporal: 4.1
- Severity:
- Base: Medium
- Temporal: Medium
Score 4.0
Default score using CVSS 4.0. It may change depending on the context of the src.
Base 4.0
- Attack vector: N
- Attack complexity: L
- Attack Requirements: N
- Privileges required: N
- User interaction: A
- Confidentiality (VC): N
- Integrity (VI): L
- Availability (VA): N
- Confidentiality (SC): N
- Integrity (SI): N
- Availability (SA): N
Threat 4.0
- Exploit maturity: P
Result 4.0
- Vector string: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P
- Score:
- CVSS-BT: 2.0
- Severity:
- CVSS-BT: Low
Requirements
Fixes
