Fabian Ros Simple E-Banking System Cross-Site Request Forgery Vulnerability

A cross-site request forgery (CSRF) vulnerability has been identified in Fabian Ros's Simple E-Banking System version 1.0. The issue arises in the withdrawal module, specifically within the '/minus.php' script, which handles withdrawal requests. The vulnerability exists because the application does not implement adequate validation for state-changing POST requests, lacking essential Anti-CSRF token checks. This oversight allows remote attackers to exploit the vulnerability by tricking authenticated users into unintentionally initiating withdrawal transactions, thereby causing unauthorized transfers of funds from the users' accounts.

Impact

Exploitation of this vulnerability allows attackers to force users to withdraw arbitrary amounts of money, posing a significant risk of financial loss.

Reproduction

To reproduce this vulnerability, log into the application as a user with an active session. Once logged in, create a malicious HTML form that includes the necessary parameters to initiate a withdrawal, such as the amount and transaction details. Save this form and host it on a server you control. When the victim, still logged in, visits the page with the hosted form, it will automatically submit the withdrawal request to '/minus.php', without the user's knowledge or consent.

Remediation

It is recommended that the vendor implement Anti-CSRF tokens for all state-changing requests, particularly those involving financial transactions. Additionally, session cookies should be configured with the SameSite attribute to prevent cross-site cookie transmission.