Code-Projects Invoice System in Laravel Cross-Site Request Forgery Vulnerability

A cross-site request forgery (CSRF) vulnerability has been identified in Code-Projects Invoice System version 1.0, Laravel framework. The issue arises because the logout function is implemented as a GET request without requiring a CSRF token. This allows attackers to trick users into logging out by clicking a link or loading an image that points to the logout URL.

Impact

Exploitation of this vulnerability forces users to log out of the application, disrupting their session and potentially causing annoyance by interrupting legitimate tasks.

Reproduction

To reproduce this vulnerability, send a GET request to the '/logout' endpoint without a CSRF token. This can be done by embedding the logout URL in an image tag or link on a malicious website. When the victim interacts with the site, their session will be terminated.

Remediation

It is recommended to change the logout method to POST, include a valid CSRF token, and explicitly invalidate the session in the controller.